Using ACLs on linux can be confusing at times. Setting ACL permissions is quite straightforward (using the
commandline utility), but you might find that your permissions are not always honored. The culprit behind this is the mask.
Eg. let's assume you've a directory owned by the myexample user and it's permissions are like this:
$ getfacl mydir
# file: mydir
# owner: myexample
# group: myexample
Now if you upload (via SFTP) a file to this directory using the myexample user, the files ACL entries will look like this:
# file: mydir/test.txt
# owner: myuser
# group: myuser
Notice the effective permissions which are calculated based on the mask. Why was the mask set like that? The reason is the SFTP server. It sets permissions on the newly uploaded file, but does not know much about ACLs. The SFTP server (MySecureShell in my case) set the generic permissions of "rw-r----" (i.e. 0640) and for some reason the kernel set the ACL mask entry to "mask::r--".
To fix problems like this you can either set the ACL mask entry "manually" ... or simply execute the following on the affected directory tree:
setfacl -R --mask -m m::--- mydir
This will recalculate the ACL mask based on the union of all named user (ACL) permissions and all group permissions (both the owner group and ACL groups). Since
requires some ACL operation in its parameters, I've specified that an empty ACL mask entry should be set. This will have no actual effect (it's just there to satisfy
's commandline requirements/syntax) since
will cause the ACL mask to be recalculated.