Directory ACL permission

M

marypoppins

Dear All,

I'm little confused with the default acl(3) inheritance. As I know until now for directories:
r-reading its contents, x-step into that directory and w to create/remove file in it.
However if I make and extended default ACL for directory "dir" for a user "charles", the inheritance remove the access write permission for the user created directories.
for example: (I write the relevant parts only)

Code: 
root:> mkdir dir
root:> setfacl -m u:charles:rwx,m::rwx dir
root:> setfacl -dm u:charles:rwx,m::rwx dir

getfacl dir:
user:charles:rwx
mask::rwx

Then charles creates a new directory in dir named "userdir", and checks its permission:

Code: 
root:> getfacl dir/userdir

user:charles:rwx          # effective: r-x
mask::r-x

What I can not understand, why is it removes the write permission from the access mask (however it works great, because charles can create files and directories, and the write permission shows in the inherited directory acl(3) for userdir)

Can anybody help me to clear this?

Thank you very much.
 
Thank you

I read that, and this too:
http://users.suse.com/~agruen/acl/linux-acls/online/#SECTION00040000000000000000

However in your article the inheritance seems to work, if you read that: (starting line:
"To see the effect of default ACLs on subdirectories issue the following commands:")
the relevant part is the mask which is the same in your post, and which isn't the same in my case.

I forgot to mention that it happened on a NAS4Free which is based on BSD, so I think it should work the same. I will check it tomorrow on a FreeBSD as well.
 
Ok, sorry. However I checked it on FreeBSD.

The execute (not the write) permission removed from the effective list for files, however the default ACL includes that. I read more the articles about ACL, but I can not understand it. For example, everything created with root:

# umask 007
# mkdir userdir
Code: 
[CMD=#] ls -l[/CMD]
drwxrwrx--- root wheel userdir

# setfacl -dm u::rwx,g::rwx,o::-,m::rwx userdir


Code: 
[CMD=#]getfacl userdir[/CMD]
#file:userdir
#owner:root
#group:wheel
user::rwx
group::rwx
mask::rwx
other::---

Code: 
[CMD=#]getfacl -d userdir[/CMD]
#file:userdir
#owner:root
#group:wheel
user::rwx
group::rwx
mask::rwx
other::---

But when I create a file in it:
# cd userdir
# touch otherfile

Code: 
[CMD=#]getfacl otherfile[/CMD]
#file:userfile
#owner:root
#group:wheel
user::rw-
group::rwx
mask::rw-
other::---

When a directory is created inside a directory that has a default ACL, the new directory inherits the parent directory's default ACL both as its access ACL and default ACL. Objects that are not directories inherit the default ACL of the parent directory as their access ACL only.
Click to expand...

and

The umask has no effect if a default ACL exists.
Click to expand...

But as you can see the execute permission removed from the mask and from the user. Why?
 
Write permission from the directory is removed because of umask. Execute permission from the file is not there, because the touch(1) utility attempts to create file without it; if you run it using truss(1), you'll see this:

Code: 
openat(AT_FDCWD,"b",O_WRONLY|O_CREAT,0666)       = 3 (0x3)

See the '0666'? That's rw-rw-rw-.
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top