ACL permission mask problems on linux
Wed, 2013.03.20 - 13:20 — müzso
Using ACLs on linux can be confusing at times. Setting ACL permissions is quite straightforward (using the
Eg. let's assume you've a directory owned by the myexample user and it's permissions are like this:
Now if you upload (via SFTP) a file to this directory using the myexample user, the files ACL entries will look like this:
Notice the effective permissions which are calculated based on the mask. Why was the mask set like that? The reason is the SFTP server. It sets permissions on the newly uploaded file, but does not know much about ACLs. The SFTP server (MySecureShell in my case) set the generic permissions of "rw-r----" (i.e. 0640) and for some reason the kernel set the ACL mask entry to "mask::r--".
To fix problems like this you can either set the ACL mask entry "manually" ... or simply execute the following on the affected directory tree:
This will recalculate the ACL mask based on the union of all named user (ACL) permissions and all group permissions (both the owner group and ACL groups). Since
setfacl commandline utility), but you might find that your permissions are not always honored. The culprit behind this is the mask.Eg. let's assume you've a directory owned by the myexample user and it's permissions are like this:
$ getfacl mydir
# file: mydir
# owner: myexample
# group: myexample
user::rwx
user:www-data:r-x
user:otheruser:rwx
user:myexample:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:www-data:r-x
default:user:otheruser:rwx
default:user:myexample:rwx
default:group::rwx
default:mask::rwx
default:other::---Now if you upload (via SFTP) a file to this directory using the myexample user, the files ACL entries will look like this:
# file: mydir/test.txt
# owner: myuser
# group: myuser
user::rw-
user:www-data:r-x #effective:r--
user:otheruser:rwx #effective:r--
user:myuser:rwx #effective:r--
group::rwx #effective:r--
mask::r--
other::---Notice the effective permissions which are calculated based on the mask. Why was the mask set like that? The reason is the SFTP server. It sets permissions on the newly uploaded file, but does not know much about ACLs. The SFTP server (MySecureShell in my case) set the generic permissions of "rw-r----" (i.e. 0640) and for some reason the kernel set the ACL mask entry to "mask::r--".
To fix problems like this you can either set the ACL mask entry "manually" ... or simply execute the following on the affected directory tree:
setfacl -R --mask -m m::--- mydirThis will recalculate the ACL mask based on the union of all named user (ACL) permissions and all group permissions (both the owner group and ACL groups). Since
setfacl requires some ACL operation in its parameters, I've specified that an empty ACL mask entry should be set. This will have no actual effect (it's just there to satisfy setfacl's commandline requirements/syntax) since --mask will cause the ACL mask to be recalculated.
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Recent comments
1 year 42 weeks ago
3 years 11 weeks ago
3 years 12 weeks ago
3 years 13 weeks ago
3 years 14 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago
3 years 22 weeks ago