2

There is a directory /test/test2/. Its owner is root and the group is test and the permission is drwxr-xr-x. I executed setfacl -m group:test:w ./ in that directory.

Now, as the user test whose groups includes test, if I run getfacl ./ in that directory, the output is,

# file: .
# owner: root
# group: test
user::rwx
group::r-x
group:test:-w-
mask::rwx
other::r-x

Now, if I execute touch test.txt, I get touch: cannot touch 'test.txt': Permission denied. Why is this so? Doesn't the setfacl -m add the permission to the chmod permission? I mean, I gave the test group write permission with setfacl, and since the group had r-x in traditional permission (that can be changed with chmod), doesn't this effectively give rwx to the test group?

I have tried namei -l /test/test2/, and the output was

f: /test/test2/
drwxr-xr-x root root /
drwxr-xr-x root root test
drwxrwxr-x root test test2
Damn Vegetables
  • 1,377

1 Answers1

0

The main problem is here:

group:test:-w-

The group test does really have write permissions but not execute permissions so you will not be able to create anything under that directory. You will have to assign permission with something like this:

setfacl -m group:test:wx ./

Even if you assign UNIX write permissions but not execution permissions you won't be able to create anything

Edgar Magallon
  • 4,820
  • You can find something related here – Edgar Magallon Dec 07 '22 at 02:49
  • But the group already had r-x permission on the directory, and the directory's group was "test". So, when ACL is set, the traditional permissions are ignored for the same group? – Damn Vegetables Dec 07 '22 at 06:25
  • @DamnVegetables As far as I know I would say yes. When a file/dir has ACLs this checks the permissions for the given user and if this one is not allowed for making reading,writing,executing then the action is rejected. Maybe you are confusing by what I answered to you some days ago in this answer: "However this behavior is correct because the Unix permissions and the owner drwxr-xr-x+ 2 guest guest allow to the guest user to cd and create files to /test/only_r" – Edgar Magallon Dec 07 '22 at 07:28
  • In that case the directory only_r was owed by the same user so it was able to change/modify/create files under that directory. In this case as you said the test2 is owned by root as user, and test as group. But, I remember reading(but I did not find the thread) something about user permissions are primordial over group permissions. – Edgar Magallon Dec 07 '22 at 07:34
  • For example, if I have a file with this perms: --x rwx --- test test, as you can the test user has x permissions but its group test has rwx permissions. Thus if you try to edit the file or reading it you will get a Permission Denied even if you are in the same group. In your case it seems that the test group is ignored and the ACLs are applied. You can swap the owner of your test2 dir: sudo chown test:root. And since the dir is now owned by test as a user the ACLs will be ignored (if you assign only write perms you will be able to read/write/change to the dir). – Edgar Magallon Dec 07 '22 at 07:44