setfacl fails on files created by Apache

Question

I have a directory owned by my user vagrant. The webserver (and web application) run as www-data.

Both users need to create and modify directories and files in this directory, regardless of who created them. As vagrant I can modify files created by www-data, but I can't create new files in directories created by www-data.

I believe I am stuck because I cannot alter the mask applied to directories created by www-data.

vagrant@iadev:/var/www/web$ sudo rm -r core/cache
vagrant@iadev:/var/www/web$ mkdir core/cache

vagrant@iadev:/var/www/web$ sudo setfacl -R -m u:www-data:rwX,u:vagrant:rwX core/cache
vagrant@iadev:/var/www/web$ sudo setfacl -dR -m u:www-data:rwX,u:vagrant:rwX core/cache

vagrant@iadev:/var/www/web$ getfacl core/cache
# file: core/cache
# owner: vagrant
# group: vagrant
user::rwx
user:www-data:rwx
user:vagrant:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:vagrant:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

I browse the web app and populate the cache

vagrant@iadev:/var/www/web$ getfacl core/cache/locks/
# file: core/cache/locks/
# owner: www-data
# group: www-data
user::rwx
user:www-data:rwx               #effective:r-x
user:vagrant:rwx                #effective:r-x
group::rwx                      #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:vagrant:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

vagrant@iadev:/var/www/web$ vi core/cache/locks/test.txt

When user vagrant tries to save a file in core/cache/locks it fails. I understand #effective:r-x is the problem, but I cannot work out how to change it.

I have tried ~30 setfacl command variations (including -n and m:rwX): what do I not understand?

does your mounted fs supports acl? does acl even works foe this mountpoint where files stored? — user3417815, Apr 22 '16 at 13:12
Yes and yes - as user vagrant I can modify files created by www-data, but not create new files in directories created by www-data — PeterB, Apr 24 '16 at 16:45

JohnSmith · Answer 1 · 2018-10-12T10:03:35.440

-1

I had same problem. Go and check what ACL core/cache/locks/test.txt has:

getfacl core/cache/locks/test.txt

Probably the directory default ACL has not applied to just-created file (output could be something like):

# file: test.txt
# owner: www-data
# group: www-data
user::rw-
group::r--
other::r--

Restarting Apache helped me. Reloading did not.

On the other hand, I had another Apache instance which did not need any restart. Go figure.

edited Oct 12 '18 at 10:03

answered Oct 12 '18 at 07:31

JohnSmith

101

1

This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. You can also add a bounty to draw more attention to this question once you have enough reputation. - From Review – JigglyNaga Oct 12 '18 at 09:25
edited my answer – JohnSmith Oct 12 '18 at 10:03

setfacl fails on files created by Apache

1 Answers1