I have a query regarding default ACLs. The below is an exercise to show my query
#Created 2 users navin & ramanuja .
#Ramanuja belongs to account group
[root@localhost ~]#groups navin
navin : navin sales
[root@localhost ~]# groups ramanuja
ramanuja : ramanuja account
[root@localhost ~]# mkdir -p /data/sales
[root@localhost ~]# chown root:sales /data/sales
[root@localhost ~]# chmod 770 /data/sales
[root@localhost ~]# chown g+s /data/sales (Setting GID)
[root@localhost data]# ls -l
drwxrws---. 2 root sales 4096 Jan 12 21:48 sales
[root@localhost /]# ls -l | grep data
drwxr-xr-x. 4 root root 4096 Jan 12 21:48 data
Setting ACL for /data/sales directory
[root@localhost data]# setfacl -m g:account:rx /data/sales/
[root@localhost data]# getfacl /data/sales/
getfacl: Removing leading '/' from absolute path names
# file: data/sales/
# owner: root
# group: sales
# flags: -s-
user::rwx
group::rwx
group:account:r-x
mask::rwx
other::---
Setting Default ACL
[root@localhost data]# setfacl -m d:g:account:rwx /data/sales/
[root@localhost data]# getfacl /data/sales/
getfacl: Removing leading '/' from absolute path names
# file: data/sales/
# owner: root
# group: sales
# flags: -s-
user::rwx
group::rwx
group:account:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:account:rwx
default:mask::rwx
default
ther::---
The user ramanuja(member of account group) cannot create/delete any file inside /data/sales directory. But he is able to modify the contents of any file (r1.txt) created by root inside /data/sales directory.
Surprisingly the user ramanuja can create a file rama1.txt inside a directory /data/sales/dir1. dir1 is created by root
[root@localhost sales]# ls -l
total 8
drwxrws---+ 2 root sales 4096 Jan 12 22:01 dir1
[root@localhost sales]# ls -l dir1/
total 16
-rw-rw----+ 1 root sales 7 Jan 12 22:04 r1.txt
-rw-rw----+ 1 ramanuja sales 9 Jan 12 22:03 rama1.txt
[ramanuja@localhost sales]$ mkdir dir2
mkdir: cannot create directory `dir2': Permission denied
QUERY:
getfacl is showing in its default ACL entry that account group can -rwx /data/sales. So why is the user ramanuja cannot create any file/dir inside /data/sales directory, but is able to create a file inside /data/sales/dir1/. And also he cannot a directory (dir2)inside /data/sales
I am using CentOS 6.4. File system is ext4
Thanks.
-navin