LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Why does the ACL of a file created under a directory differ from the default ACL (https://www.linuxquestions.org/questions/linux-security-4/why-does-the-acl-of-a-file-created-under-a-directory-differ-from-the-default-acl-916602/)

sctebnt 12-01-2011 01:15 PM
Why does the ACL of a file created under a directory differ from the default ACL
 
I would like to have all files created within a directory to contain an ACL based on the default defined for the directory. However each file I creat is assigned an ACL that is different (has effective rights lower than directory and has other's rights set differently than default).

What causes this difference?

Is there something I can do to ensure the files get exactly what I have as the default ACL?

Why are effective reights different than the defined ACL rights until I run a setfacl -m command again?

Here is what I have done:

Code:
a17171@lsbita02:~/testing> getfacl .
# file: .
# owner: a17171
# group: gtbrav2
user::rwx
group::r-x
other::r-x

a17171@lsbita02:~/testing> mkdir mydir
a17171@lsbita02:~/testing> setfacl -d -m u:ndvr:rwx,g:migration:rwx,o:rx mydir
a17171@lsbita02:~/testing> setfacl -m u:ndvr:rwx,g:migration:rwx,o:rx mydir
a17171@lsbita02:~/testing> getfacl mydir
# file: mydir
# owner: a17171
# group: gtbrav2
user::rwx
user:ndvr:rwx
group::r-x
group:migration:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:ndvr:rwx
default:group::r-x
default:group:migration:rwx
default:mask::rwx
default:other::r-x

a17171@lsbita02:~/testing> cd mydir
a17171@lsbita02:~/testing/mydir> touch myfile
a17171@lsbita02:~/testing/mydir> getfacl myfile
# file: myfile
# owner: a17171
# group: gtbrav2
user::rw-
user:ndvr:rwx                  #effective:rw-
group::r-x                      #effective:r--
group:migration:rwx            #effective:rw-
mask::rw-
other::r--

a17171@lsbita02:~/testing/mydir> setfacl -m o:rx myfile
a17171@lsbita02:~/testing/mydir> getfacl myfile
# file: myfile
# owner: a17171
# group: gtbrav2
user::rw-
user:ndvr:rwx
group::r-x
group:migration:rwx
mask::rwx
other::r-x

a17171@lsbita02:~/testing/mydir>

kbscores 12-01-2011 01:50 PM
I just did:
Code:
setfacl -d -m u:testUser:rwx apples/
and it worked.

I think the second setfacl on mydir/ is what is messing it up. Also you should use --

sctebnt 12-01-2011 02:03 PM
I tried you suggestion and I am still not getting the expected value for the other's rights. I expected other to have r-x but am only getting r.

Here is how I tried you idea (not running the 2nd setfacl command):

Code:
a17171@lsbita02:~/testing> mkdir mydir3
a17171@lsbita02:~/testing> setfacl -d -m u:ndvr:rwx,g:migration:rwx,o:rx mydir3
a17171@lsbita02:~/testing> cd mydir3
a17171@lsbita02:~/testing/mydir3> getfacl .
# file: .
# owner: a17171
# group: gtbrav2
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:ndvr:rwx
default:group::r-x
default:group:migration:rwx
default:mask::rwx
default:other::r-x

a17171@lsbita02:~/testing/mydir3> touch myfile
a17171@lsbita02:~/testing/mydir3> getfacl myfile
# file: myfile
# owner: a17171
# group: gtbrav2
user::rw-
user:ndvr:rwx                  #effective:rw-
group::r-x                      #effective:r--
group:migration:rwx            #effective:rw-
mask::rw-
other::r--

a17171@lsbita02:~/testing/mydir3>

kbscores 12-01-2011 02:09 PM
Wait - I see now - Most likely has to do with umask. - When a new files is created it takes 666 instead of 777 -- if you make a directory and it comes out correct then it most likely is a bug with setfacl - which after testing it looks like it is case.

Well -- technically not a bug seeing as that is how it is intended for new files.

sctebnt 12-01-2011 05:00 PM
Thanks, I now see why it is not possible to have the execute permission part of a file's default. Here is a little more information showing why.

Permissions and their bits
0-000 none
1-001 x
2-010 w
3-011 wx
4-100 r
5-101 rx
6-110 rw
7-111 rwx

If we have a umask value for other of 2 then the following will occur.

010 2 mask
101 5 complement of mask
110 6 system file access (directories use 7)

100 4 resulting and of the complement mask and system value (read only)

Looking at the above chart, we can see it is never possible to default permission to include x (execute). Since system value of 6 (110) contains a 0 in the bit position of the permissions for execute (001,011,111). It is impossible to "and" a 0 to anything to get a 1 (execute bit).

So in the end, if you create a file for execution, you must always run the chmod or setfacl command to force the execute permission bit to be on.

Please feel free to correct me on anything I missed, I am still a Linux newbie.

kbscores 12-02-2011 08:13 AM
Sorry - yea when a new file is created umask is subtracted from 666 so you can have anything 6 or less - which is slightly frustrating. They do it for security purposes, but it would sure be nice to create a script in a script folder and have it run without having to change permissions.


All times are GMT -5. The time now is 12:11 PM.