2

I have a folder /stuff that is owned by root:stuff with setgid set so all new folders' have group set to stuff.

I want it so:

  • New files have rw-rw----:
    • User: read and write
    • Group: read and write
    • Other: none
  • New folders have rwxrwx---:
    • User: read, write, and execute
    • Group: read, write, and execute
    • Other: none

If I set default ACLs with setfacl then it seems to apply to both files and folders. For me, this is fine for Other since both files and folders get no permissions:

setfacl -d -m o::---- /stuff

But what do I do for User and Group? If I do something like above then it will be set on all files and folders.

And I can't use umask.

I have a shared drive. I am trying to make it so folks in stuff can read/write/execute but nobody else (Other) can. And I wan to make sure that by default files do not get the execute bit set, regardless of what the account's umask is.

Improve this question
1
  • If the only difference is the execute bit, then look into X instead of x as the mode. Commented Dec 15, 2020 at 17:00

1 Answer 1

Reset to default
3

There is no way to differentiate between files and directories using setfacl only. Instead you can workaround the issue with using inotify-tools to detect new created files/dirs, then apply the correct ACLs for each one recursively:

1- You have to install inotify-tools package first.

2- Recover the default /stuff directory acls

sudo setfacl -bn /stuff

3- SetGID

sudo chmod g+s /stuff

4- Execute the following script in the background for testing purpose, for a permanent solution wrap it within a service.

#!/bin/bash
sudo inotifywait -m -r -e create --format '%w%f' /stuff | while read NEW
do
    # when a new dir created
    if [ -d "$NEW" ]; then
        sudo setfacl -m u::rwx "$NEW"
        sudo setfacl -m g::rwx "$NEW"
   # when a new file created
    elif [ -f "$NEW" ]; then
        sudo setfacl -m u::rw "$NEW"
        sudo setfacl -m g::rw "$NEW"
fi
    # setting no permissions for others
    sudo setfacl -m o:--- "$NEW"
done
Improve this answer
3
  • How well will this work when a lot of files/folders are added in bulk? Commented Dec 15, 2020 at 16:17
  • Yes for sure you can try it yourself, this will be handled sequentially. Commented Dec 15, 2020 at 16:34
  • Please don't forget to mark it as resolved if the above helped you. Commented Dec 15, 2020 at 18:01

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.