ACLs and classic permissions

Question

I'm trying to set up a git server on my FreeNAS server. The problem I have is with setting up the permissions for different users/groups just as I want.

Basically I have two different groups: git-auth-user which contains all users that should have rwx access to the directory containing all repositories (I should limit x to directories only I'd think, but for now that's a little detail) and git-unauth-user which is basically just the git daemon that should hand out read only access.

I thought that running setfacl -m "g:git-auth-user:rwx:fd:allow" git/ would work to give my git-auth-user all rights, but that doesn't happen.

From searching it seems like the classic permissions still limit the overall permissions ACLs can hand out, does this mean I have to basically give others full rights (so basically chmod 777 dir)? But then I assume everybody that doesn't get their rights limited via ACLs would then have full access as well which is obviously not what I want.

Is there any way around having to set the classic permission rights for other to the most permissive I want to hand out via ACLs or if not, is there an ACL that completely denies access to everybody that doesn't get special access rights?

Edit:

ls -la (so chmod 770 for the directory)

drwxrwx---+  2 root  wheel     2 Jun 22 23:45 git

and

$ getfacl git/
# file: git/
# owner: root
# group: wheel
group:git-auth-user:rwx-----------:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow

Now when a user of the group git-auth-user tries to generate a new directory inside the git directory I get

$ mkdir test.git
mkdir: test.git: Permission denied

On the other hand if I use chmod -R 777 git it works just fine, but that's obviously a really bad solution because I give everybody complete access to the directory, while my dream solution would be no access for everyone except git-auth-user (i.e. my user git-ro also has write access to the directory, now I could specifically remove all rights for that user per ACLs, but this obviously doesn't scale. I'm sure there must be a better solution to this that I'm overlooking).

I can't speak for FreeBSD but Linux ACL's are based on the same unratified POSIX standard and they don't function that way. It wouldn't make sense to do it that way either so I'm suspecting something else is happening. You may check to see if something else is going on. There may be an ACL mask setting on the files/directories. Editing the question with the output of an example getfacl would probably be helpful. — Bratchley, Jun 21 '15 at 21:36
@Bratchley Put the output of ls -la and getfacl as well as an example of my problem in it, hope that makes the problem clearer — Voo, Jun 22 '15 at 21:50
Note that this thing here is NFSv4 ACL; something completely different from POSIX ACLs. Which are supported in FreeBSD as well, but only on UFS. — Edward Tomasz Napierala, Oct 10 '15 at 21:14

score 2 · Accepted Answer · answered Oct 10 '15 at 21:13

2

ACLs, if present, override the usual chmod bits. Also, NFSv4 ACLs don't have masks.

I believe the problem here is you only set 'rwx', and not 'rwxp'. The 'p' is APPEND_DATA/ADD_SUBDIRECTORY, which is what controls... well, adding subdirectories.

answered Oct 10 '15 at 21:13

Edward Tomasz Napierala

1,448

score 1 · Answer 2 · edited Oct 10 '15 at 22:43

1

If you use ACLs, the classic group permissions turn into the so called mask, which determines the maximum permissions you can effectively give per setfacl, eg.

ls -k shows
-rw-r--r--+ root root

and you have setfacl -m g:users:rw

because the mask is only read getfacl will show you:

group:users:rw
effective r

So set group to rw or rwx by classic chmod and you can give all permissions by setfacl.

PS.

This is Linux ACL handling, afaik Solaris with ZFS is a bit different, I am not entirely sure how BSD with ZFS handles that.

Try it and post your findings here.

edited Oct 10 '15 at 22:43

answered Jun 22 '15 at 05:33

Uwe Burger

187
1

Thanks, I added some output to make my problem clearer. My problem seems to be that the mask is not computed by the group field but by whatever field would apply to the given user in classic permissions, which means I have to use the other permissions. And if I use chmod 777 I give everybody complete access to the folder and can then limit it down with ACLs - exactly the opposite of what I want (I want nobody to have rights to begin with and then add them with ACLs). – Voo Jun 22 '15 at 21:52

ACLs and classic permissions

2 Answers2

Linked