1

I'm trying to set default permissions so that all files created in my folder hackerank would be created with rwx by default.

I've done a chmod g+s (as I was looking at different threads, not sure this did anything to be honest, but just in case it changes anything):

chmod g+s hackerank/

and then tried to set default ACLs on the group:

setfacl -d -m g::rwx hackerank/

If I check ACLs, they now look good:

getfacl hackerank/
# file: hackerank/
# owner: will
# group: will
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:will:rwx
default:mask::rwx
default:other::r-x

But I create a new file, it still inherits -rw-rw-r--+ (the + showing the ACL attributes are in effect:

touch hackerank/test
ll hackerank/
total 8.0K
drwxrwsr-x+ 2 will will 4.0K Jul 11 16:09 ./
drwxr-xr-x  3 will will 4.0K Jul 11 15:03 ../
-rw-rw-r--+ 1 will will    0 Jul 11 16:09 test

getfacl hackerank/test
# file: hackerank/test
# owner: will
# group: will user::rw-
group::rwx  #effective:rw-
group:will:rwx  #effective:rw-
mask::rw-
other::r--

Any clue as to what I have missed?

Thanks for your help

sourcejedi
  • 50,249
Will1v
  • 13

1 Answers1

1

See also this question from just two months earlier: setting 'x' (executable) bit using ACL. There's a nice pointer to where this is defined in the official documentation, in ilkkachu's answer.


Applications create files with a given mode. The mode is then limited, but never extended, by the current umask:

strace touch a
...
open("a", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3

e.g. I have a umask of 002 which limits the above created file to 0664/-rw-rw-r-- (viewed with stat a).

My understanding is this limits ACLs as well. ACLs are not permitted to exceed the permissions that you see when you read the mode of a file, so

The access by group will on your file cannot exceed rw-. This is enforced by the mask ACL... thing, which explains the "effective" comments in the output of getfacl. EDIT: the mask applies to all ACL entries except for "user::" (the file owner) and "other:". All such ACL entries are limited by the mask.

The access by users and groups other than will and will cannot exceed r--.

sourcejedi
  • 50,249
  • Ok, I'll need to look into umask and strace to understand what you did there, but I get the general idea and I know where to keep looking now. Thanks! – Will1v Jul 12 '17 at 13:25