Default permission not taken into account after setfacl

Question

I'm trying to set default permissions so that all files created in my folder hackerank would be created with rwx by default.

I've done a chmod g+s (as I was looking at different threads, not sure this did anything to be honest, but just in case it changes anything):

chmod g+s hackerank/

and then tried to set default ACLs on the group:

setfacl -d -m g::rwx hackerank/

If I check ACLs, they now look good:

getfacl hackerank/
# file: hackerank/
# owner: will
# group: will
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:will:rwx
default:mask::rwx
default:other::r-x

But I create a new file, it still inherits -rw-rw-r--+ (the + showing the ACL attributes are in effect:

touch hackerank/test
ll hackerank/
total 8.0K
drwxrwsr-x+ 2 will will 4.0K Jul 11 16:09 ./
drwxr-xr-x  3 will will 4.0K Jul 11 15:03 ../
-rw-rw-r--+ 1 will will    0 Jul 11 16:09 test

getfacl hackerank/test
# file: hackerank/test
# owner: will
# group: will user::rw-
group::rwx  #effective:rw-
group:will:rwx  #effective:rw-
mask::rw-
other::r--

Any clue as to what I have missed?

Thanks for your help

getfacl hackerank/test # file: hackerank/test # owner: will # group: will user::rw- group::rwx #effective:rw- group:will:rwx #effective:rw- mask::rw- other::r-- — Will1v, Jul 11 '17 at 22:30

sourcejedi · Answer 1 · 2018-07-09T23:33:22.703

See also this question from just two months earlier: setting 'x' (executable) bit using ACL. There's a nice pointer to where this is defined in the official documentation, in ilkkachu's answer.

Applications create files with a given mode. The mode is then limited, but never extended, by the current umask:

strace touch a
...
open("a", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3

e.g. I have a umask of 002 which limits the above created file to 0664/-rw-rw-r-- (viewed with stat a).

My understanding is this limits ACLs as well. ~~ACLs are not permitted to exceed the permissions that you see when you read the mode of a file, so~~

The access by group will on your file cannot exceed rw-. This is enforced by the mask ACL... thing, which explains the "effective" comments in the output of getfacl. EDIT: the mask applies to all ACL entries except for "user::" (the file owner) and "other:". All such ACL entries are limited by the mask.

~~The access by users and groups other than will and will cannot exceed r--.~~

Ok, I'll need to look into umask and strace to understand what you did there, but I get the general idea and I know where to keep looking now. Thanks! — Will1v, Jul 12 '17 at 13:25

Default permission not taken into account after setfacl

1 Answers1