12

I'd like to use setfacl so that anyone in group 'app' can edit any file contained within /usr/local/users/app regardless of what the traditional UNIX permissions say. I have two users john and ben. I tried to follow the instruction from another question, but john is not able to write to some files. It looks like this is because of the acl mask. However, I've set default mask on the directory of rwx, so shouldn't the files within it inherit that when created?

E.g. john cannot write to the file below, but he is a member of group 'app' which has write acls on the file so I'm surprised he can't edit the file.

ben@app1:/usr/local/users$ ls -la app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar 
-rw-r--r--+ 1 ben users 38326 Apr  2 10:21 app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar

ben@app1:/usr/local/users/app$ getfacl app-1.0-SNAPSHOT/lib/
# file: app-1.0-SNAPSHOT/lib/
# owner: ben
# group: users
user::rwx
group::rwx          #effective:r-x
group:app:rwx       #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::rwx
default:group:app:rwx
default:mask::rwx
default:other::r-x

ben@app1:/usr/local/users$ getfacl app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar 
# file: app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar
# owner: ben
# group: users
user::rw-
group::rwx          #effective:r--
group:app:rwx       #effective:r--
mask::r--
other::r--
Community
  • 1
Ben McCann
  • 238

2 Answers2

7

You'll notice the "effective" comment that getfacl is throwing out at you. The issue is that permissions are calculating so that "app" isn't getting the write bit set. That's happening because the mask on the file is set to read-only. The mask is used to limit the amount of permissions that could possibly be given out on a particular file or directory.

An example of why you would want this behavior would be like if you knew the file could legitimately need different users/groups to have access to it but for some reason things were getting complicated with permissions and you wanted a way to say "Whatever the other default permissions are set to, whatever their group memberships are, or whatever recursive setfacl gets executed later on, DEFINITELY DON'T GIVE THIS OUT!" The owning user has a special status in the POSIX world, it has rights other users don't have, like the ability to be non-root and change permissions on a file and have its rights not be limited by the mask (which would be pointless anyways because of the first privilege the system gives them). This is why they still get rwx even though the mask is restricted.

To answer your specific question though: add the write bit to the mask on the file and try again as the john user.

here is a command line version of the above explanation, take note of how the "effective" rights change when all I modify is the mask.

Bratchley
  • 16,824
  • 14
  • 67
  • 103
  • Thank you. I really appreciate the response. Is it possible for new files to be created with a default mask of rwx? I've edited my question with a few more details. – Ben McCann Apr 08 '13 at 21:28
  • Yeah the mask is one of the categories (like users and groups) that you can set a default ACL on. The default mask should inherit to subdirectories and apply to files. EXAMPLE: setfacl -m d:m::rwx /path/to/Dir – Bratchley Apr 08 '13 at 22:36
  • The default ACL is inheriting to subdirectories, but not to files, making the ACLs completely useless :-( – Ben McCann Apr 08 '13 at 22:48
  • Just to make sure we're talking about the same thing, you're talking about the default acl for the mask entry? This is what I get in tests. – Bratchley Apr 09 '13 at 12:11
  • I've also repeated the above test for new files in /testBed after changing the effective mask on the parent directory and gotten the same result (default mask entry gets applied to the file and not the parent's effective mask). – Bratchley Apr 09 '13 at 12:14
  • Sorry, just to clarify, are you saying that you can or can't reproduce my issue? To add a bit more details, I'm trying to rsync into the directory from another machine which had files created with umask 0022 and has no ACLs. I cannot get the ACL mask on the files to be anything other than r--. – Ben McCann Apr 09 '13 at 19:32
  • I'm saying that I can't reproduce the issue. My personal tests follow the same pattern I described: after setting default mask on a directory, created subdirectories inherit that as their default mask and files created in either directory have the default mask applied as it's explicit mask. It may be rsync, that's a tool that can be destructive for ACL's as it goes out of its way to make sure everything at the destination is as it was in the source. rsync has the -A option but that's only for importing ACL's from the source which you said aren't there. – Bratchley Apr 09 '13 at 20:15
  • As a work around, if you're scheduling the rsync in a cronjob you could have another cronjob on the receiving end run the appropriate setfacl's on the directories to ensure that permissions are as they should be. Either that or make sure ACL's exist on the source as well and do -A on your rsync. – Bratchley Apr 09 '13 at 20:17
0

It is impossible. cp, rsync, etc. create files ignoring default ACLs

Why does cp not respect ACLs?

Paulo Tomé
  • 3,782
Ben McCann
  • 238
  • incorrect The user was running into the same mask thing you were running into earlier and got an incorrect response from someone else. It's not up to "cp" or any other utility to ignore the default ACL entries, that happens at the filesystem level when cp goes to create the file. The tool has the option to issue the system calls to stripe/add the necessary ACL's but would have to make an effort to do so. – Bratchley Apr 09 '13 at 12:43
  • The hell of that is that you can see the ACL entry their talking about it's just the effective permissions they're expecting to see aren't there. That was a perfect opportunity to say "hey dude, check your mask." – Bratchley Apr 09 '13 at 12:46
  • 1
    Actually, I take that back it looks like EvilRyry posted about the mask and the OP just responded back with "it didn't work" then posted getfacl output that seems to show that "felles" did get rwx on the file. At this rate, the highest voted answer doesn't match up with my personal experience and what I've illustrated here with command examples. – Bratchley Apr 09 '13 at 19:20