ls throws errors when trying to access directory guarded with ACL

Question

I have setup a directory and some files with setfacl.

jobq@workstation:~/Pool$ getfacl /etc/jobq
getfacl: Removing leading '/' from absolute path names
# file: etc/jobq
# owner: root
# group: jobq
user::rwx
user:jobq:rw-
group::r-x
group:jobq:rwx
mask::rwx
other::r-x
jobq@workstation:~/Pool$ sudo getfacl /etc/jobq/log.txt
getfacl: Removing leading '/' from absolute path names
file: etc/jobq/log.txt
owner: root
group: jobq
user::rw-
group::rw-
group:jobq:rwx
mask::rwx
other::r--
jobq@workstation:~/Pool$ groups
jobq

However, when I run a command, like

ls -al /etc/jobq

I'm getting permission errors:

ls: cannot access '/etc/jobq/log.txt': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..

Since user jobq is in the group jobq, they should have access to the directory. What am I misunderstanding? How can I fix this?

Stephen Kitt · Accepted Answer · 2022-06-21T06:44:12.147

The problem comes from this ACL on /etc/jobq:

user:jobq:rw-

This means that user jobq can’t “search” the directory, which is what stops ls from showing its contents.

To fix this, you need to add the x permission. See Execute vs Read bit. How do directory permissions in Linux work? for details.

See also Restrictive "group" permissions but open "world" permissions? to understand why the group permissions don’t help here. Thus another solution would be to drop the user ACL for jobq, and rely on the group permissions instead.

ls throws errors when trying to access directory guarded with ACL

file: etc/jobq/log.txt

owner: root

group: jobq

1 Answers1