2

I am trying to understand how I can grant permissions to the owning group once POSIX ACLs have been applied to a file. Normally, I would use chmod g+rwx. However, that does not work when a POSIX ACL was applied via setfacl before. I am not able to access the file with a member of the owning group afterwards. The output of getfacl shows that the owning group entry has not changed but the mask has.

[vagrant@ice01 tmp]$ umask 077
[vagrant@ice01 tmp]$ touch test
[vagrant@ice01 tmp]$ ls -lisa test
1585067 0 -rw------- 1 vagrant vagrant 0 Sep 23 17:43 test
[vagrant@ice01 tmp]$ setfacl -m u:icer01:rwx test
[vagrant@ice01 tmp]$ chmod g+rwx test
[vagrant@ice01 tmp]$ ls -lisa test
1585067 0 -rw-rwx---+ 1 vagrant vagrant 0 Sep 23 17:43 test
[vagrant@ice01 tmp]$ getfacl test
# file: test
# owner: vagrant
# group: vagrant
user::rw-
user:icer01:rwx
group::---
mask::rwx
other::---

I read this answer and it claims:

If you use the chmod(1) command to change the file group owner permissions on a file with ACL entries, either the file group owner permissions or the ACL mask are changed to the new permissions.

I read parts of the referenced IEEE 1003.1e working draft and it backs their claim.
But more importantly: I could confirm this behavior on a CentOS 6 box with an ext4 filesystem (see above).

Am I correct in assuming, that setfacl is the only option to grant access to the owning group once an ACL has been applied?

If so, that behavior shifts reponsibility to the end-user. In the end you have to check whether ACLs are already set, before you decide whether to use chmod or setfacl.

LuedDev
  • 21

1 Answers1

3

The answer to the question in the title is: setfacl -m group::rwX test The capital X means "only grant execute permission if someone else already has execute permission." (It means the same thing to chmod(1).) Using capital X is how you can do a recursive setfacl or chmod to grant permission without ending up with executable source files.

The ACL entry group:: corresponds to the current group of the file. If you were to change the group of test to something other than vanguard the group:: entry would control access for whatever the current group is.

chmod g+rwx didn't do what you expected because when there is an ACL the Unix group permission bits on a file or directory are aliased with the mask:: entry of the ACL. As long as there is an ACL chmod g+FOO will be equivalent to setfacl -m mask::FOO and vice versa.

staufk
  • 31