4

I want to set ACL for eg. /tmp/test folder like this:

/tmp/test owner is user "gaspar", member of group "testgroup".
User "testuser" is also a member of group "testgroup", and I want to give rwx permissions only to this user + owner (user "gaspar").
Also I need to set the same acl for all newly created files/directories within /tmp/test automatically.

When I setfacl like this:

setfacl -Rdm u:testuser:rwx,g:testgroup:-,o::- /tmp/test/

getfacl -p /tmp/test/ gives permissions:

# file: /tmp/test/
# owner: gaspar
# group: testgroup
user::rwx
group::---
other::---
default:user::rwx
default:user:testuser:rwx
default:group::---
default:group:testgroup:---
default:mask::rwx
default:other::---

And then user "testuser" has no permissions to /tmp/test folder. Can you please suggest where the problem is, what should I correct?

When I set acl like this (without "d" option), user "testuser" has permissions as he should have, but obviously newly created files/directories don't have the same acl:

setfacl -Rm u:testuser:rwx,g:testgroup:-,o::- /tmp/test/

getfacl -p /tmp/test/

# file: /tmp/test/
# owner: gaspar
# group: testgroup
user::rwx
user:testuser:rwx
group::---
group:testgroup:---
mask::rwx
other::---

Any advice appreciated!

gaspar
  • 152

3 Answers3

5

On your system, the files in /tmp disappear on reboot, right? Maybe this is not a good location for a permanent solution. When setting an ACL on a directory that should apply the ACL to all new file system objects in the directory, remember to set two masks: (1) the mask for the directory itself and (2) the default mask (for all new filesystem objects).

setfacl -m u::rwx,g::r-x,o::--- /tmp/test
setfacl -d -m u::rwx,g::r-x,o::--- /tmp/test

Above, the -m switch is the mask for /tmp/test, and the -d switch makes the mask the default mask for all new filesystem objects in the same directory. It's equivalent to 0750. Octal values can be used also.

The user, group, and other masks work the same way: g:groupname:--- or in combination: u:username:---,g:groupname:---,o::---. Not specifying a username or group name applies the mask to current user/group ownership.

Be aware that not all software is aware of ACLs. For example, not all SFTP/SCP clients know about them yet.

Christopher
  • 15,911
1

This is working as it should.

man acl has the following to say on default ACL's:

ACL TYPES

Every object can be thought of as having associated with it an ACL that governs the discretionary access to that object; this ACL is referred to as an access ACL. In addition, a directory may have an associated ACL that governs the initial access ACL for objects created within that directory; this ACL is referred to as a default ACL.

(Emphasis mine)

What you have specified with your ACL is that only the owner has rwx permissions to the directory. The default ACL on the directory specifies the following:

  • all files created within, will have their ACL set to be the same as the default ACL of the parent directory.
  • all directories created within, will have both their default ACL set to be the same as the default ACL of the parent directory

If you either change the permissions to the parent directory or add a group/user ACL that enables access, then any files within will work as expected.

user6075516
  • 898
  • 6
  • 11
0

You need to understand what is "user::rwx and default:user::rwx" Default section for inherit acl's.
For more information you need to read "man setfacl" and maybe this doc will help you:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.bpxb200/aclinhe.htm

Ozbit
  • 429