2

I am trying to extend ACLs across sub directories that are being created under a parent but for some reason one of my groups is being switched to #effective r-x and the mask is being changed. Any ideas? is there some default umask?

Administrator@MyServer ~
$ setfacl -m d:u:Someuser:r-- somedir

Administrator@MyServer ~
$ getfacl somedir/
# file: somedir/
# owner: Administrator
# group: None
user::rwx
group::r-x
group:user1:r-x
group:user2:rwx          
mask:rwx
other:r-x
default:user::rwx
default:group::r-x
default:group:user1:r-x
default:group:user2:rwx
default:mask:rwx
default:other:r-x

-mkdir /somedir/somedir

Administrator@MyServer ~
$ getfacl somedir/somedir
# file: somedir/somedir
# owner: Administrator
# group: None
user::rwx
group::r-x
group:user1:r-x
group:user2:rwx      #effective:r-x       
mask:r-x
other:r-x
default:user::rwx
default:group::r-x
default:group:user1:r-x
default:group:user2:rwx
default:mask:rwx
default:other:r-x
John Williams
  • 21
  • 3

1 Answers1

1

Are you absolutely sure that you have used mkdir somedir/somedir and not used the -poption like mkdir -p somedir/somedir ?

Because mkdir -p has a nasty bug on distribution <= 2014 (coreutils < 8.22), see Conflicts between ACLs and umask

The ACL entries applicable for subdirectories are default: and mask:

$ getfacl somedir/
default:group:user1:r-x
default:group:user2:rwx
default:mask:rwx
default:other:r-x

The default:mask:rwx, so the sub directory should have been:

group:user1:r-x
group:user2:rwx
mask:rwx

But mask is mask:r-x, so the permission lowered to r-x:

group:user2:rwx      #effective:r-x  
mask:r-x

For a better understanding of the relation between Unix group permission and ACL, read Why does chmod(1) on the group affect the ACL mask?

Conclusion

  • Don't use mkdir -p when you use ACLs (unless you run Debian/Jesise, RHEL7...)
  • Fix your problem with chmod g+w somedir/somedir or setfacl -m mask:rwx somedir/somedir
Community
  • 1
Franklin Piat
  • 806
  • 8
  • 24