6

So this is situation: got server for web-developers. There are many developers. All developers + PHP + Apache belongs to www group. There is a development directory - development.

The goal is that every file in development directory has 755 permissions and whenever a any developer creates, modifies a file in development directory, files will still have 755.

So I have read a number of acl tutorials, guides and howto's but I still can not get the result I want.

  1. my disk is mounted with acl
  2. I got chown -R www:www development
  3. added chmod g+s development

  4. I set a number of acl rules on development directory and got this:

    $ getfacl development
# file: development
# owner: www
# group: www
# flags: -s-
user::rwx
user:www:rwx
group::rwx
group:www:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www:rwx
default:group::rwx
default:group:www:rwx
default:mask::rwx
default:other::r-x

p.s. I know its messy, was doing a number of tests

  5. According to my idea of ACL, if directory had such rules, my task should be achieved, but when I try to create a file in development dir, I get:

    -rw-rw-r--+ 1 www     www      0 Nov 21 09:14 newfile

I can not seem to understand why it creates rw- instead rwx.

It is probably something simple that I missed or some general concept that I don't understand.

manatwork
  • 31,277
Katafalkas
  • 161
  • When you have ACL rules on a file, you should never use the permissions as reported by ls. ACLs override the basic file permissions. Use getfacl to view the permissions on the file. – phemmer Nov 21 '12 at 16:38

1 Answers1

4

Your default ACLs replace the umask, which specifies not default permissions, but maximum permissions for creating new files. In this case rwxrwxr-x.

Then your application calls open or creat with the permissions it wants. Just about all applications will ask for rw-rw-rw- for files.

You can see this by running strace, e.g.

$ strace -e trace=file touch newfile
...
open("newfile", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3

(0666 is the same as rw-rw-rw-.)

The two permissions are combined using bitwise AND to give rw-rw-r--.

  rwxrwxr-x     # default ACL
  rw-rw-rw-     # permission requested (e.g. by touch, vim, etc.)
& _________
  rw-rw-r--     # effective permissions

For another explanation, see POSIX Access Control Lists — “Default ACL Example”.

So the real question is: why do you need the files to be executable?

Gilles 'SO- stop being evil'
  • 829,060
Mikel
  • 57,299
  • 15
  • 134
  • 153
  • Just tried setfacl -m d:u::rwx,g::rwx,o:rwx .; touch beforeumask; umask 777; touch afterumask. Both get the same permissions. So I'm pretty sure it does replace the umask. – Mikel Nov 21 '12 at 20:35
  • You're right. I managed both to mess up my test and misread the manual. I've deleted my comment. Sorry. – Stéphane Chazelas Nov 21 '12 at 20:44
  • Your default ACLs replace the umask, which specifies not default permissions, but maximum permissions for creating new files. Thanks. – sjas Aug 01 '17 at 12:25