3

I know there are plenty of questions and answers about ACL and permissions, but to be honest they are so weak to make any coherent understanding! it's just like a mix of unorganized information.

Hope this question will put an end to this confusion

Problem:

On my Ubuntu 14.04 web server, I want to:

  • make all files/future_files with 640 permissions,
  • all folders/future_folders with 750 permissions,
  • AND make Admin:www-data the only default owners

My solution:

I used ACLs:

setfacl -Rdm u:admin:rwX /path/to/parent //capital X apply for folders
setfacl -Rdm g:www-data:rX /path/to/parent
setfacl -Rdm o::- /path/to/parent

now already existed files and folders take the rules perfectly.

Issue:

Now I am logged as user admin, when I make new directory it gets 770 not 750? And when I make new file it gets 660 not 640? Why isn't it adopting the rules!?

Here is getfacl output:

# owner: admin
# group: www-data
# flags: ss-
user::rwx
group::r-x
other::---
default:user::rwx
default:user:admin:rwx
default:group::r-x
default:group:www-data:r-x
default:mask::rwx
default:other::---

It looks like there is some conflict between rules! although I deleted all ACL before applying the new rules.

P.S. I remember combining them in one command like below used to work... but it's not!

etfacl -Rdm u:admin:rwX,g:www-data:rwX,o::- /path/to/parent

If you know a correct short version please don't hesitate to provide :)

Engineeroholic
  • 141
  • 2
    Check umask for the user admin, it is having a default permission of 0022. You can change it as per your requirement. – AReddy Mar 01 '16 at 13:24

2 Answers2

1

I found the solution eventually, totally forgot to update it here The solution is the following:

1: define owners for all and make owner group inheritable

- sudo chown -R admin:www-data /var/www/html 
- sudo chmod g+s  /var/www/html (inherit owner group)

2: apply default permission for folders and files (750 and 640 respectively; default is to be secured)

- sudo chmod -R 750 /var/www/html
- sudo find /var/www/html -type f -print0 | sudo xargs -0 chmod 640 (apply for files only)

** repeat file permissions for each sub-directory

3: apply permission for the writable files and folders

- sudo chmod -R 770 /var/www/html/images
- sudo find /var/www/images -type f -print0 | sudo xargs -0 chmod 660

4: apply the auto inherit rules (ACL)

- setfacl -Rdm u::rwX,g::rwX,o::- /path/to/parent  (Capital X only apply to directories)

5: verify ACL:

- getfacl /var/www/html

Hope this answers the question

Engineeroholic
  • 141
0

A possible problem and solution, expanding on the answer from @Engineeroholic

Here's what a possible problem might be

$ whoami
admin
$ umask
0000

0000 is just a possible value -- one that you might see. Let us know what you do see.

Use one of the following options to fix it. I think this should fix your issue, even if the above doesn't end up being your problem.

# option 1: one session
$ umask 0027

or (Make sure you append, >>. DON'T overwrite with a single greater-than sign.)

# option 2: system-wide, note that you might need /etc/bash.profile, 
#           /etc/bash.bashrc, or something else called at login
#           if your system doesn't have /etc/.profile

$ echo -e "\n\n##New folders 0750, new files 0640" >> /etc/.profile
$ echo "umask 0027" >> /etc/.profile
$ source /etc/.profile

or (Make sure you append, >>. DON'T overwrite with a single greater-than sign.)

# option3: for `admin` only. Make sure that you are writing to 
#          a file called at login, in case ~/.bashrc isn't 
#          called at that point.

$ echo -e "\n\n##New folders 0750, new files 0640" >> ~/.bashrc
$ echo "umask 0027" >> ~/.bashrc
$ source ~/.bashrc

Now you can create files that should have the permissions you want.

You will get what some people describe as 0770 - 0027 = 0750 where 0-7 goes to 0.

More accurately, you have

   Octal1   Octal2   Binary1             Binary2
                       (    rwxrw---- )
      0770    0770         0111111000      0111111000
& NOT 0027  & 1750   & NOT 0000010111    & 1111101000
----------  ------   ----------------    ------------
      0750    0750         0111101000      0111101000
      ^                                 (   rwxr-x--- )
      |
      |
       `This one isn't really octal (I think.)

for your directories.

For your files:

  Octal     Binary1              Binary2
            (      rw-rw---- )
      0660        0110110000      0110110000
& NOT 0027  & NOT 0000010111    & 1111101000
----------    ----------------   ------------
      0640        0110100000      0110100000
                                (  rw-r----- )

See here for more details.

I don't know that this answer elucidates the cause of the behavior, but it is a possible solution.

Note that your getfacl includes default:mask::rwx, which you might change to default:mask::r-x, though that isn't likely the problem.

bballdave025
  • 316