0

I have a folder, owned by the "website user" foo, that will host a site:

$ sudo mkdir foo
$ sudo chown -R foo:foo
$ sudo chmod -R u=rwX,g=rX,o= foo
$ sudo chmod -R g+s foo
$ ls -la

drwxr-s--- ... foo foo ... foo

I add Nginx (my server) to the foo group, but I don't want Nginx to be able to write, so I set the group permission to rX.

I set a default ACL. I want all new files to have these permissions by default:

$ sudo setfacl -Rm d:u::rwX foo
$ getfacl foo

user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:other::---

I make extra sure to use rwX, since I want directories to be traversable, but not make files executable by default.

Now, Alice and Bob want to work on some stuff in there, so I add them both to the foo group:

$ sudo usermod -aG foo bob
$ sudo usermod -aG foo alice

I give Bob access. I want to add ACL overrides so Alice and Bob, as human users in the foo group, are able to write. Bob first:

$ sudo setfacl -Rm u:bob:rwX,d:u:bob:rwX foo
$ getfacl foo

user::rwx
user:bob:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:bob:rwx
default:group::r-x
default:mask::rwx
default:other::---

Bob tests his newfound god powers:

$ touch foo/bobfile
$ ls -la foo

drwxrws---+ ... foo  foo  ... .
drwxr-xr-x  ... root root ... ..
-rw-rw----+ ... bob  foo  ... bobfile

I note dutifully that ls now shows bobfile as having group write permissions, but I know that's only because ls represents the highest available permission that applies to at least one entity, not "what everybody has by default".

I give Alice access. I want her to have the same permissions as Bob:

$ sudo setfacl -Rm u:alice:rwX,d:u:alice:rwX foo
$ getfacl foo

user::rwx
user:bob:rwx
user:alice:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:bob:rwx
default:user:alice:rwx
default:group::r-x
default:mask::rwx
default:other::---

Now Alice can execute Bob's file. Huh?

$ ls -la foo

drwxrws---+ ... foo  foo  ... .
drwxr-xr-x  ... root root ... ..
-rw-rwx---+ ... bob  foo  ... bobfile

Indeed, Alice can now execute foo/bobfile. Meanwhile, owner Bob cannot execute his own file (as it should be).

To make things weirder, if Alice creates a new file now, she can't execute it either - only bobfile, which was already there when her ACL was added.

Neither can Bob edit Alice's file, which, again, is as it should be.

I seem to be misunderstanding two things:

  1. The significance of x vs. X, at least when it comes to ACLs. Why is Alice getting execute permissions on the existing file here?

  2. The significance of ACL default vs. non-default rules, since adding an ACL entry with X makes existing files executable, but not new files.

What would be the correct command to achieve the intended result?

bobsoap
  • 161
  • 8
  • Some quick Google searches seem to indicate that there's no binary encoding for `X` so for `setfacl` it's stored the same as `x`. It seems like `X` is a shortcut with `chmod` so you can do `chmod g+X *` and it will add an `x` to the group permission for directories or files that already have an `x` permission but not touch files that don't have an `x` elsewhere. – Tim Tisdall Oct 27 '22 at 12:48

0 Answers0