Why does setfacl affect filemode by turning on group-write

Question

I have a script that is used to re-apply ACLs on files and directories. However it has the side effect of turning on Group Write permissions that I can not explain. I have narrowed down the cause to one specific statement in the script by checking the permissions before and after every statement.

root@kompir:/tmp/perms# nl /apply-sec 
     1  #!/bin/bash
 2  targetbase=$1
 3  [ -z &quot;$targetbase&quot; ] &amp;&amp; exit
 4  [ ! -d $targetbase ] &amp;&amp; exit
 5  #set -x

 6  check_base() {
 7          # Debugging function - call it to view the current ACL and mode bits
 8          getfacl $targetbase
 9          ls -ld $targetbase
10          echo ---------------------------------------------
11  }


12  # Remove any ACLs
13  setfacl -R -b $targetbase

14  # Set basic permissions
15  chown -R owner $targetbase
16  find $targetbase -type d -exec chmod 2755 {} \;
17  find $targetbase -type f -exec chmod 644 {} \;


18  # Set Default Mask
19  setfacl -d -m m:rwx $targetbase

20  # User1 with Default
21  check_base
22  setfacl -m u:user1:rwx $targetbase
23  check_base
24  setfacl -d -m u:user1:rwx $targetbase

25  # User2 with Default
26  setfacl -m u:user2:r-x $targetbase
27  setfacl -d -m u:user2:r-x $targetbase

28  # Apply recursively
29  getfacl $targetbase | setfacl -R -M- $targetbase

The statement on line 22 turns on the group write mode bit (Which was turned off on line 16)

The output from the script is as follow, using some sample directories created for the purpose of testing.

root@kompir:/tmp/perms# /apply-sec perms1/
# file: perms1/
# owner: owner
# group: root
# flags: -s-
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::r-x
drwxr-sr-x+ 4 owner root 4096 Jun  9 09:20 perms1/
file: perms1/
owner: owner
group: root
flags: -s-
user::rwx
user:user1:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::r-x
drwxrwsr-x+ 4 owner root 4096 Jun  9 09:20 perms1/

Note that the group-write permission is turned back on the second time the debug function is called to show the mode.

Why does this happen, is this expected behaviour, and can it be avoided?

Does this answer your question? touch/mkdir seems to ignore default ACL — ilkkachu, Jun 09 '23 at 07:56

score 1 · Answer 1 · answered Jun 09 '23 at 08:00

Note that the group-write permission is turned back on the second time the debug function is called to show the mode.

It's not, see the output you got:

# file: perms1/
[...]
group::r-x

What you see in the output of ls is not the group permissions any more, but the ACL mask that limits what permissions the named user and group ACL entries can give.

See the acl(5) man page. Longer explanation in my earlier answer to touch/mkdir seems to ignore default ACL

How did I never know this?- Thank you, this explains everything. — VagrantPaladin, Jun 09 '23 at 08:03

Why does setfacl affect filemode by turning on group-write

drwxr-sr-x+ 4 owner root 4096 Jun 9 09:20 perms1/

file: perms1/

owner: owner

group: root

flags: -s-

drwxrwsr-x+ 4 owner root 4096 Jun 9 09:20 perms1/

1 Answers1