6

So this is situation: got server for web-developers. There are many developers. All developers + PHP + Apache belongs to www group. There is a development directory - development.

The goal is that every file in development directory has 755 permissions and whenever a any developer creates, modifies a file in development directory, files will still have 755.

So I have read a number of acl tutorials, guides and howto's but I still can not get the result I want.

  1. my disk is mounted with acl
  2. I got chown -R www:www development
  3. added chmod g+s development

  4. I set a number of acl rules on development directory and got this:

    $ getfacl development
# file: development
# owner: www
# group: www
# flags: -s-
user::rwx
user:www:rwx
group::rwx
group:www:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www:rwx
default:group::rwx
default:group:www:rwx
default:mask::rwx
default:other::r-x

p.s. I know its messy, was doing a number of tests

  5. According to my idea of ACL, if directory had such rules, my task should be achieved, but when I try to create a file in development dir, I get:

    -rw-rw-r--+ 1 www     www      0 Nov 21 09:14 newfile

I can not seem to understand why it creates rw- instead rwx.

It is probably something simple that I missed or some general concept that I don't understand.

Improve this question
1
  • When you have ACL rules on a file, you should never use the permissions as reported by ls. ACLs override the basic file permissions. Use getfacl to view the permissions on the file. Commented Nov 21, 2012 at 16:38

1 Answer 1

Reset to default
4

Your default ACLs replace the umask, which specifies not default permissions, but maximum permissions for creating new files. In this case rwxrwxr-x.

Then your application calls open or creat with the permissions it wants. Just about all applications will ask for rw-rw-rw- for files.

You can see this by running strace, e.g.

$ strace -e trace=file touch newfile
...
open("newfile", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3

(0666 is the same as rw-rw-rw-.)

The two permissions are combined using bitwise AND to give rw-rw-r--.

  rwxrwxr-x     # default ACL
  rw-rw-rw-     # permission requested (e.g. by touch, vim, etc.)
& _________
  rw-rw-r--     # effective permissions

For another explanation, see POSIX Access Control Lists — “Default ACL Example”.

So the real question is: why do you need the files to be executable?

Improve this answer
3
  • Just tried setfacl -m d:u::rwx,g::rwx,o:rwx .; touch beforeumask; umask 777; touch afterumask. Both get the same permissions. So I'm pretty sure it does replace the umask. Commented Nov 21, 2012 at 20:35
  • You're right. I managed both to mess up my test and misread the manual. I've deleted my comment. Sorry. Commented Nov 21, 2012 at 20:44
  • Your default ACLs replace the umask, which specifies not default permissions, but maximum permissions for creating new files. Thanks. Commented Aug 1, 2017 at 12:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.