32

I'm setting up a new server and wanted to give ACL a shot over the chown:chgrp:chmod style permissions.

The man page for setfacl indicates that the '-R' option can be used to set the ACL recursively on files and directories.

-R, --recursive Apply operations to all files and directories recursively. This option cannot be mixed with ‘--restore’.

If my directory layout looks like this

test/
   subtest/
   subtest.txt

and I execute

setfacl -Rm d:u:foo:rwX test

The ACL takes effect on the 'subtest' directory, but not the subtest.txt file.

I think I can use find + exec to workaround it, but I plan to use this server to train a few other admin and I am wanting to keep it as simple as possible so we don't get hung up on some of the more advanced conventions.

Thanks

Franklin Piat
  • 806
  • 8
  • 24
Joe Holloway
  • 1,909
  • 3
  • 19
  • 17

1 Answers1

65

Try:

setfacl --recursive --modify u:foo:rwX,d:u:foo:rwX test

to modify the current ACL as well as the default. I believe "d:" only affects the (d)efault ACL of directories and leaves files untouched. Then, if you create a new file in the directory, it inherits the ACL of its parent directory via the default.

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
  • That makes sense even if it feels a bit redundant – Joe Holloway May 02 '09 at 23:00
  • 1
    Does this work for removing access control as well. Perhaps something to the effect of: sudo setfacl -Rx g:gid path –  Jan 04 '12 at 21:39
  • 1
    why does changing places between the `-R` and `-m` flags breaks the command? – pkaramol Mar 02 '19 at 09:08
  • 1
    @pkaramol: Because the `-m` option takes an argument (the ACL spec `u:foo:rwX,d:u:foo:rwX` in this case) and switching the order of the options separates the option from its argument. It may also be that `setfacl` is coded to expect its main options first. – Dennis Williamson Mar 02 '19 at 13:33
  • 4
    More readable version of command: `setfacl --recursive --modify user:foo:rwX,default:user:foo:rwX test`. Today I learned the capital X is important for setting the eXecute permission for just folders and not every single file. Lower-case x sets the execute permission for folders and files. – browly Jul 16 '20 at 16:59