3

In short, I'm trying to create a file server with a directory in which any user in a group has read-write-execute permission on any file placed in that directory. My research suggests that ACL is the right tool for the job, but I've run into an issue where it does not seem to be behaving as expected.

I'm running the latest Ubuntu Server LTS 16.04.1, and I've ensured that ACL is enabled for the drive in question.

For this example, I have 2 users, alex and usera, and both users belong to the fileserver group. I have created a test directory like so:

alex@tstsvr:/$ sudo mkdir -p /srv/fstest/test
alex@tstsvr:/$ sudo chown root:fileserver /srv/fstest/test
alex@tstsvr:/$ sudo chmod 770 /srv/fstest/test

In that directory, alex creates a simple test file:

alex@tstsvr:/$ cd /srv/fstest/test/
alex@tstsvr:/srv/fstest/test$ echo 123 > test.txt
$ ll
total 12
drwxrwx--- 2 root fileserver 4096 Dec  7 17:09 ./
drwxr-xr-x 4 root root       4096 Dec  7 16:46 ../
-rw-rw-r-- 1 alex alex          4 Dec  7 17:09 test.txt

As we can see, the file belongs to him and is in his group. Next he sets the file permissions to 770 and sets some ACL for the fileserver group to have rwx permissions on the file.

alex@tstsvr:/srv/fstest/test$ chmod 770 test.txt
alex@tstsvr:/srv/fstest/test$ setfacl -m g:fileserver:rwx test.txt
alex@tstsvr:/srv/fstest/test$ ll
total 12
drwxrwx---  2 root fileserver 4096 Dec  7 17:09 ./
drwxr-xr-x  4 root root       4096 Dec  7 16:46 ../
-rwxrwx---+ 1 alex alex          4 Dec  7 17:09 test.txt*

Now for usera, everything seems to be working perfectly:

usera@tstsvr:/srv/fstest/test$ getfacl test.txt
# file: test.txt
# owner: alex
# group: alex
user::rwx
group::rw-
group:fileserver:rwx
mask::rwx
other::---

usera@tstsvr:/srv/fstest/test$ cat test.txt
123

But, if user alex changes the permissions to 700...:

alex@tstsvr:/srv/fstest/test$ chmod 700 test.txt

It seems ACL is not able to override those permissions, and usera is not longer able to read that file:

usera@tstsvr:/srv/fstest/test$ getfacl test.txt
# file: test.txt
# owner: alex
# group: alex
user::rwx
group::rw-          #effective:---
group:fileserver:rwx        #effective:---
mask::---
other::---

usera@tstsvr:/srv/fstest/test$ cat test.txt
cat: test.txt: Permission denied

My understanding was that because the file has a named group ACL entry, it would override those file permissions, but this seems to not be the case.

Did I do something wrong, am I misunderstanding, or is this not actually possible?

Alexander O'Mara
  • 1,179

2 Answers2

4

The posix permissions have priority over your acl. So when you chmod the file after the acl is given you are changing the acl mask. There is a great write up here: https://serverfault.com/questions/352783/why-does-chmod1-on-the-group-affect-the-acl-mask

Community
  • 1
JasonC
  • 56
  • Hmm, I guess what I was lead to believe about POSIX ACL was not true. – Alexander O'Mara Dec 07 '16 at 22:53
  • I wrote a version of that answer slanted towards Linux rather than towards SunOS here on this WWW site at https://unix.stackexchange.com/a/475796/5132 . – JdeBP Oct 17 '18 at 07:17
4

After applying acl permission on the file let me explain the meaning of first 11 characters.

-rwxrwx---+ 1 alex alex          4 Dec  7 17:09 test.txt*

the + at the end of the 10-character permission string indicates that there are ACL setting associated with this file. Interpret the user,group and other "rwx" flags as:

  • user:Shows the user ACL settings.which are same as the standard user file settings; rwx.
  • group:Shows the current ACL mask settings, not the group-owner setting;rwx
  • other:Shows the other ACL setting,which are the same as the standard other file settings.no access.

Important

Changing group permissions on a file with an ACL by using chmod does not change the group-owner permissions, but does change the ACL mask.

If you want to change owner group permission USE setfacl -m g::perms file

You use bellow command to change the group-owner permission

chmod 700 test.txt
  • 7 (rwx) change the file owner permission
  • 0 (---) change the acl mask.
  • 0 (---) change the other permission

Change upper command by bellow command

setfacl -m g::--- text.txt

After applying ACL permission setfacl -m g::perms file is the only way to change the owner-group permission.

Named user ,Named group and Owner group permission controlled by ACL mask

You change the mask permission 0 (---) that why named-group(fileserver) has effective permission 0 (---).

Rakib
  • 2,435