Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-22-2005, 08:04 PM   #1
Registered: Nov 2003
Distribution: Arch
Posts: 136

Rep: Reputation: 21
Default ACL and permissions inheritance


Im currently trying to get my head around using setfacl to set default permissions on a directory. I'm happy with most of it except for the fact that I cant get the execute permission to be inherited to files. I think I know why this is happening, but I would like to circumvent it.

i have created a directory 'parent' and set a default ACL on it as follows:

linux:/tmp # mkdir parent
linux:/tmp # setfacl -d -m user:mike:rwx parent

This gives the result:

linux:/tmp # getfacl parent
# file: parent
# owner: root
# group: root

So far, so good. If I create a subdirectory, all the default ACLs are inherited as expected. My question arises from the permissions granted on creation of a file in the directory 'parent':

linux:/tmp # cd parent
linux:/tmp/parent # touch script1

As far as I understand it, the umask value for the rest of the system (0022 on my box) is ignored because of the ACL inheritance from 'parent', and the new file (script1) is created with a mode of 0666. Permissions not contained in this mode value (ie 'x') are removed from the mask for the file. This means that the new mask for the file is set to rw-, leaving the following result:

linux:/tmp/parent # getfacl script1
# file: script1
# owner: root
# group: root
user:mike:rwx #effective:rw-
group::r-x #effective:r--

Because of this removal of the 'x' permission in the mask, mike now only has rw- to script1.
As the directory 'parent' will contain scripts that mike will be running, I would like mike to have 'x' permissions to all files in it.

Which brings me to my question:

Is there a way I can set the default ACL on 'parent' to give mike (and not members of 'users') 'rwx' to all files created in 'parent'?

I think that the right result could be achieved by setting the SUID or GUID bits, and removing all rights for 'other'. However, as I'm on a mission to understand the use of setfacl, I would like to know if it's possible to inherit the 'x' permission to files.

It may be that I can't see the wood for the trees, as I've been on this for a while now and my head is mashed!!

Old 06-22-2005, 08:44 PM   #2
Registered: Nov 2003
Distribution: Arch
Posts: 136

Original Poster
Rep: Reputation: 21
Upon further investigation, my solution of using SUID or GUID bits doesn't work anway, as setfacl only appears to let you set 'rwx'. If you try 'rws' or 'rwS', it just throws a wobbly!
Old 02-18-2014, 11:14 AM   #3
LQ Newbie
Registered: Feb 2012
Posts: 5

Rep: Reputation: Disabled
I need to be able to make the created file rwx

did you ever get this resolved? I'm going nuts trying to find an answer to changing the mask on files that will be created in a directory and cannot seem to find the right way to use setfacl. I put in a new thread on it and had very little response. Here's the link to the thread I posted
Old 02-18-2014, 11:47 AM   #4
Registered: Nov 2003
Distribution: Arch
Posts: 136

Original Poster
Rep: Reputation: 21
Hi there.

I'm afraid that post was nearly 9 years ago and I really can't remember what I did in the end. I don't work in IT any more, so am a bit rusty to say the least. I would suggest that you try asking your question in the Arch Linux forums - there are a lot of knowledgeable and helpful people in there and somebody may be able to point you in the right direction.

All the best...
Old 02-18-2014, 11:57 AM   #5
LQ Newbie
Registered: Feb 2012
Posts: 5

Rep: Reputation: Disabled
Cheers Mike!

Thanks anyway
Old 07-05-2016, 06:19 AM   #6
LQ Newbie
Registered: Mar 2009
Posts: 5

Rep: Reputation: 0
Execute cannot be default set with umask or ACLs

This question is answered in a Stack Overflow question here:

Relevant answer is as follows:
Even if umask/acl says that a file should have +x, it doesn't actually happen unless the application says the file should be executable (through flags in the open(2) syscall).

This is because it's not useful to give people +x on files by default -- mp3 and png files are not executable, and having the executable flag set just confuses users and tools.

If you instead mkdir a directory or compile an executable with gcc, the group will get +x because on directories and executables this makes sense.
Quoted from, "that other guy".

I would have used the inbuilt link and quote functionality but it didn't load/work.

So you must add the execute bit manually to a script file when newly created unless the application you're using to create the file knows or can be instructed to add the execute bit during the file handle open operation.
You can also script applying +x with chmod or install.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
default permissions crane Linux - Security 1 01-01-2005 12:36 PM
acl permissions linuxtesting2 Linux - General 0 10-25-2004 02:18 PM
default files and folder acl permissions Baltasar Fedora 4 08-30-2004 12:50 PM
what are the default permissions figmentium Linux - Newbie 4 12-25-2003 06:50 AM
Need someone to let me know certain default permissions. Nu-Bee Linux - General 2 11-27-2003 07:07 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration