0

I want to create a directory, in which all files are read/writeable by a specific set of users. This should work for new files/dirs in this directory, as well as for files/dirs copied to this directory.

Now I am confused about the ACL mask. I tried the following:

Create a Directory with the following ACL:

$ getfacl dirWithAcl 
# file: dirWithAcl
# owner: rainer
# group: users
user::rwx
user:nobody:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

With this, creating files and directories inside dirWithAcl works fine.

However, now I create a test folder outside of this folder. As expected it has the following permissions, according to my umask:

drwxr-xr-x  2 rainer users 4.0K Sep 11 08:21 testdir/

when I now copy this folder to the dirWithAcl, using cp -r testdir dirWithAcl, the copy has the following ACL:

getfacl testdir 
# file: testdir
# owner: rainer
# group: users
user::rwx
user:nobody:rwx         #effective:r-x
group::rwx          #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

The mask has been set to r-x, it seems like the group permission of the original testdir directory was first converted into the mask, and only after that, the default group was applied.

If I now again set the group permission of the copy to rwx (which it actually already is), the mask gets suddenly updated to the correct value:

$ setfacl -m "group::rwx" testdir 
$ getfacl testdir 
# file: testdir
# owner: rainer
# group: users
user::rwx
user:nobody:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

Could someone please explain this behavior? I also would be happy, to be redirected to some more detailed explanation about ACLs than the manpage.

Additionally, I wonder if it is possible to have the group rights of all files in the folder set to --- and only have ACLs control the permissions. With new and copied files all getting mask:rwx

Thanks for any help on this :)

Rainer
  • 11

1 Answers1

1

To copy ACLs from a directory to another, you had to instruct cp to do that, using the -a switch. In other words, use cp -a src dst

EDIT The inherited ACLs will not grant permissions which the file does not originally have. In other words, if the source file does not have the group write permission, it will not inherit the permission by simply moving it inside your ACL-enabled directory.

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • Thanks for the answer, but I do not want to copy the ACL from `testdir`, I want to **inherit* the ACL from `dirWithAcl` when copying files *without* ACLs into it. When I use `cp -a testdir dirWithAcl/` it makes matters even worse, as the ACL of `dirWithAcl` are not even inherited in this case. – Rainer Sep 11 '16 at 07:13