LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Default ACL and permissions inheritance (https://www.linuxquestions.org/questions/linux-security-4/default-acl-and-permissions-inheritance-336253/)

mikemrh9 06-22-2005 08:04 PM
Default ACL and permissions inheritance
 
Hi.

Im currently trying to get my head around using setfacl to set default permissions on a directory. I'm happy with most of it except for the fact that I cant get the execute permission to be inherited to files. I think I know why this is happening, but I would like to circumvent it.

i have created a directory 'parent' and set a default ACL on it as follows:

linux:/tmp # mkdir parent
linux:/tmp # setfacl -d -m user:mike:rwx parent

This gives the result:

linux:/tmp # getfacl parent
# file: parent
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:mike:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

So far, so good. If I create a subdirectory, all the default ACLs are inherited as expected. My question arises from the permissions granted on creation of a file in the directory 'parent':

linux:/tmp # cd parent
linux:/tmp/parent # touch script1

As far as I understand it, the umask value for the rest of the system (0022 on my box) is ignored because of the ACL inheritance from 'parent', and the new file (script1) is created with a mode of 0666. Permissions not contained in this mode value (ie 'x') are removed from the mask for the file. This means that the new mask for the file is set to rw-, leaving the following result:

linux:/tmp/parent # getfacl script1
# file: script1
# owner: root
# group: root
user::rw-
user:mike:rwx #effective:rw-
group::r-x #effective:r--
mask::rw-
other::r--

Because of this removal of the 'x' permission in the mask, mike now only has rw- to script1.
As the directory 'parent' will contain scripts that mike will be running, I would like mike to have 'x' permissions to all files in it.

Which brings me to my question:

Is there a way I can set the default ACL on 'parent' to give mike (and not members of 'users') 'rwx' to all files created in 'parent'?

I think that the right result could be achieved by setting the SUID or GUID bits, and removing all rights for 'other'. However, as I'm on a mission to understand the use of setfacl, I would like to know if it's possible to inherit the 'x' permission to files.

It may be that I can't see the wood for the trees, as I've been on this for a while now and my head is mashed!!

Mike.

mikemrh9 06-22-2005 08:44 PM
Upon further investigation, my solution of using SUID or GUID bits doesn't work anway, as setfacl only appears to let you set 'rwx'. If you try 'rws' or 'rwS', it just throws a wobbly!

faitrien 02-18-2014 11:14 AM
I need to be able to make the created file rwx
 
did you ever get this resolved? I'm going nuts trying to find an answer to changing the mask on files that will be created in a directory and cannot seem to find the right way to use setfacl. I put in a new thread on it and had very little response. Here's the link to the thread I posted

http://www.linuxquestions.org/questi...175495231-new/

mikemrh9 02-18-2014 11:47 AM
Hi there.

I'm afraid that post was nearly 9 years ago and I really can't remember what I did in the end. I don't work in IT any more, so am a bit rusty to say the least. I would suggest that you try asking your question in the Arch Linux forums - there are a lot of knowledgeable and helpful people in there and somebody may be able to point you in the right direction.

All the best...

faitrien 02-18-2014 11:57 AM
Cheers Mike!
 
Thanks anyway

coniptor 07-05-2016 06:19 AM
Execute cannot be default set with umask or ACLs
 
This question is answered in a Stack Overflow question here:
https://stackoverflow.com/questions/...nce-using-acls

Relevant answer is as follows:
Even if umask/acl says that a file should have +x, it doesn't actually happen unless the application says the file should be executable (through flags in the open(2) syscall).

This is because it's not useful to give people +x on files by default -- mp3 and png files are not executable, and having the executable flag set just confuses users and tools.

If you instead mkdir a directory or compile an executable with gcc, the group will get +x because on directories and executables this makes sense.
Quoted from, "that other guy".

I would have used the inbuilt link and quote functionality but it didn't load/work.

So you must add the execute bit manually to a script file when newly created unless the application you're using to create the file knows or can be instructed to add the execute bit during the file handle open operation.
You can also script applying +x with chmod or install.


All times are GMT -5. The time now is 01:07 AM.