Using setfacl -m -d ... and setfacl -m ... have different behaviors when the ACL is assigned. The Default ACLs are used to be inherited. So you have to assign ACLs when you want to give acl permission to a user and assign Default ACLs to inherit perms under some dir.
Explanation
First, I will the dir (as root) /test and check its permissions:
$> mkdir /test ; ls -ld /test
#Output
drwxr-xr-x 2 root root 4096 Dec 1 17:52 test
As you can see the group and other have no write permissions by default. Let's take a look the difference between both setfacl commands.
Using setfacl -m guest:rwx /test
When I run that command (as root) I can see the following outputs by using the following commands:
ls -ld /test
#Output
drwxrwxr-x+ 2 root root 4096 Dec 1 17:57 test
As you can see above the directory has now write permissions for the group. By the way, if you remove ACLs by using: setfacl --remove-all /test and you use ls -ld /test you will notice that /test permissions are reverted to previous ones (drwxr-xr-x).
getfacl -e /test
#Output
# file: test
# owner: root
# group: root
user::rwx
user:guest:rwx #effective:rwx
group::r-x #effective:r-x
mask::rwx
other::r-x
I used getfacl -e to print all effective rights whose are important to know how the ACLs works.
Now I will try to create a file under /test directory with guest and edgar users:
(user:guest)> touch /test/fuzz
#All is ok!
(user:edgar)> touch /test/buzz
#touch: cannot touch '/test/buzz': Permission denied
You can notice that guest user was able to create /test/fuzz file while edgar was not. That behavior is correct because of the ACL assigned to guest.
Using setfacl -dm guest:rwx /test
In my case the syntax setfacl -m -d guest:rwx /test is not valid (I'm using openSUSE Tumbleweed). You can also use setfacl -m d:guest:rwx /test.
Now running the command with Default ACLs I have the following:
ls -ld /test
drwxr-xr-x+ 2 root root 4096 Dec 1 18:39 test
getfacl -e /test
# file: test
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:guest:rwx #effective:rwx
default:group::r-x #effective:r-x
default:mask::rwx
default:other::r-x
As you can see now, the /test directory has no write permissions for the group. And by using getfacl ... I get that the default guest user has rwx permissions but as I said before they will be used to be inherited. So if you want that in your case dog user can write to /test dir is using: setfacl -m dog:rwx /test.
About Default ACLs or inherited ACLs
- I will set the following ACL and Default ACL:
#ACL
setfacl -m guest:rwx /test
#Default ACL
sudo setfacl -dm guest:r /test
- Now I will create a directory under
/test as guest user:
(user:guest) /test: mkdir only_r
(user:guest) /test: ls -ld only_r
drwxr-xr-x+ 2 guest guest 4096 Dec 1 19:19 only_r/
(user:guest): getfacl -e only_r
# file: only_r/
# owner: guest
# group: guest
user::rwx
user:edgar:r-- #effective:r--
user:guest:r-- #effective:r--
group::r-x #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:edgar:r-- #effective:r--
default:user:guest:r-- #effective:r--
default:group::r-x #effective:r-x
default:mask::r-x
default:other::r-x
- Now I will try to change to
only_r dir and create a file
(user:guest) /test: cd only_r
(user:guest) /test/only_r: touch fuzz
(user:guest) /test/only_r: ls
fuzz
As you can above I was able to change to only_r and create a file although ACLs have not execution and write permissions (if a directory does not have execution perms then I cannot cd to it). However this behavior is correct because the Unix permissions and the owner drwxr-xr-x+ 2 guest guest allow to the guest user to cd and create files to /test/only_r
- Finally with
edgar user I will try to cd to /test/only_r and create some file:
(user:edgar) : cd /test/only_r
cd: permission denied: /test/only_r
(user:edgar) : echo jaja > only_r/fuzzbuzz
permission denied: only_r/fuzzbuzz
