3

I have this weird issue, I'm trying to wrap my mind around acl to give some developers write access to a few files in a folder

This is an example folder structure, I have a settings.local.php file there, and I'm giving it 000 permissions with chmod, then I'm giving it rwX permissions with setfacl, it's succesful, as in getfacl does give me the correct permissions, but owner permissions are not affected, and the user can't actually save the file, actually on this example, the user can't even read the file...

hostname:/srv/clientname/sites/local# chmod 000 *

hostname:/srv/clientname/sites/local# ls -la
total 64
dr-xrwxrwx+  3 clientname www-data  4096 Jun 19 16:50 .
drwxrwxrwx+  5 clientname www-data  4096 Jun 19 16:51 ..
----------+  1 clientname www-data   775 Jun 19 16:50 settings.local.php


hostname:/srv/clientname/sites/local# groups clientname
clientname : www-data sftp ftp


hostname:/srv/clientname/sites/local# setfacl -m u:clientname:rwX *


hostname:/srv/clientname/sites/local# ls -la
dr-xrwxrwx+  3 clientname www-data  4096 Jun 19 16:50 .
drwxrwxrwx+  5 clientname www-data  4096 Jun 19 16:51 ..
----rw----+  1 clientname www-data   775 Jun 19 16:50 settings.local.php


hostname:/srv/clientname/sites/local# getfacl settings.local.php


file: settings.local.php


owner: clientname


group: www-data


user::---
user:www-data:rw-
user:clientname:rw-
group::r--
group:www-data:rw-
mask::rw-
other::---

what am I doing wrong

Radius
  • 133

1 Answers1

2

ACLs supplement regular permissions, they don’t replace them. Since clientname is the owner of the file, the owner ACL is applied first. That’s

user::---

(which matches the owner permissions), and access is denied.

Stephen Kitt
  • 434,908