4

My aim is to allow read access to folder /var/www/mysite/ only for users in group www-data using a default ACL.

This works for a regular ACL, but not for a default ACL. Why?

This is how I did it:

I am logged on as user www-data who is in group www-data. I am in directory /var/www.

I created a directory mysite and gave it the permission 0. Then I added ACL permissions so that anyone in group www-data has read-access to directory mysite/.

$ mkdir mysite
$ chmod 0 mysite
$ setfacl -m g:www-data:r-x mysite
$ ls -la
d---------+  2 root root 4096 Sep  6 11:16 mysite
$ getfacl mysite/
# file: mysite/
# owner: root
# group: root
user::---
group::---
group:www-data:r-x
mask::r-x
other::---

At this point user www-data has access to the folder. However, if I instead add a default ACL, access is denied!

$ setfacl -m d:g:www-data:r-x mysite # <---- NOTE the default acl rule.
$ ls -la
d---------+  2 root root 4096 Sep  6 11:16 mysite
$ getfacl mysite/
# file: mysite/
# owner: root
# group: root
user::---
group::---
other::---
default:user::---
default:group::---
default:group:www-data:r-x
default:mask::r-x
default:other::---
erch
  • 5,030
Hurrdurrfurr
  • 347
  • clear all permission using setfacl -b /var/www/mysite then set using setfacl -m g:www-data:rx /var/www/mysite and let me know if any issue – Rahul Patil Sep 06 '13 at 10:44
  • This is unrelated to my problem. I need that to work with a default acl. – Hurrdurrfurr Sep 06 '13 at 11:11
  • Be wary of the distinction between the statements "I need" and "I think I need". Some say the road to hell is paved with those differences. – msw Sep 06 '13 at 12:42

2 Answers2

1

The semantics of access control lists are complicated, excerpted here from man -s 5 acl

 1.   If the effective user ID of the process matches the user ID of the
      file object owner, then

          if the ACL_USER_OBJ entry contains  the  requested  permissions,
          access is granted,

          else access is denied.

 2.   else if the effective user ID of the process matches the qualifier
      of any entry of type ACL_USER, then

          if the matching ACL_USER entry and the  ACL_MASK  entry  contain
          the requested permissions, access is granted,

          else access is denied.

 3.   else if the effective group ID or any of the supplementary group IDs
      of the process match the file group or the qualifier of any entry of
      type ACL_GROUP, then

          if the ACL contains an ACL_MASK entry, then

              if  the ACL_MASK entry and any of the matching ACL_GROUP_OBJ
              or ACL_GROUP  entries  contain  the  requested  permissions,
              access is granted,

              else access is denied.

          else  (note  that  there  can be no ACL_GROUP entries without an
          ACL_MASK entry)

              if the ACL_GROUP_OBJ entry contains  the  requested  permis‐
              sions, access is granted,

              else access is denied.

     4.   else if the ACL_OTHER entry contains the requested permissions,
          access is granted.

     5.   else access is denied.

I know I have trouble making sense of which rule applies to your particular problem. If you understood them fully, you wouldn't be asking a question here. In particular, it is hard to determine whether the user, group, or other applies, and whether the default takes precedence over the specific. Here's an example using your ACL:

$ ls -ld mysite
drwxr-x---+ 2 www-data www-data 4096 Sep  6 08:22 mysite
$ getfacl mysite
# file: mysite
# owner: www-data
# group: www-data
user::rwx
group::r-x
other::---
default:user::rwx
default:group::rwx
default:group:www-data:r-x
default:mask::rwx
default:other::r-x

$ ls -l mysite
total 4
-rw-rw-r--+ 1 www-data www-data 56 Sep  6 08:15 example.html

using your ACL parameters everything is fine since I'm running with www-data in my groups. But, if I change the mode on mysite/ I disable my access:

$ sudo chmod 000 mysite
$ ls -ld mysite
d---------+ 2 www-data www-data 4096 Sep  6 08:22 mysite
$ ls mysite
ls: cannot open directory mysite: Permission denied

note that I didn't change the acl at all.

On a related note, root should never, ever, never own directories that are going to be part of a web-service. Ever. Really. That's why there are unprivileged accounts and groups like www-data.

What should you do to make things work the way you think you want them to? I have no idea.

msw
  • 10,593
  • 1
    Thanks for your answer. Could you elaborate on why "root should never, ever, never own directories that are going to be part of a web-service. Ever. Really." because I don't see a problem with this. – Hurrdurrfurr Sep 06 '13 at 13:48
  • Here's what the World Wide Web Consortium has to say on the matter: http://www.w3.org/Security/Faq/wwwsf3.html – msw Sep 06 '13 at 14:42
1

The default ACL is the ACL that is applied to newly created files in that directory. It is also copied as the default ACL for subdirectories created under that directory, so unless you do something to override it it applied recursively.

The default ACL has no effect on the directory itself, or on any files that exist when you change the default ACL.

So in your situation you need to both set the ACL on the directory (for the directory itself) and set the default ACL (for files that you will create in the directory).

Gilles 'SO- stop being evil'
  • 829,060