LinuxQuestions.org - need to change ACL mask to r-x for files to be created in directory

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - need to change ACL mask to r-x for files to be created in directory (https://www.linuxquestions.org/questions/linux-security-4/need-to-change-acl-mask-to-r-x-for-files-to-be-created-in-directory-4175495231/)

faitrien

02-17-2014 10:29 AM

need to change ACL mask to r-x for files to be created in directory

files are being created in the /usr/*/*/*/user1 directory which has the acl as follows

# file: /usr/*/*/*/user1
# owner: user1# group: sftp
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:ppadm:rwx
default:group::rwx
default:mask::rwx
default:other::rwx

# file: /usr/*/*/*/user1/test
# owner: user1
# group: sftp
user::rw-
user:ppadm:rwx #effective:r--
group::rwx #effective:r--
mask::r--
other::r--

# file: /usr/*/*/*/user1/test2
# owner: rpstockfile
# group: sftp
user::rw-
group::r--
other::r--

The user ppadm in the same group needs to be able to chmod the file that has been created by user1. I can see I have to change the mask on the files so it will need to be changed on the default ACL and will need to be recursive. I cannot find how to do this or if I am correct. Help please. I really appreciate it.

pingwinowiewc

02-17-2014 10:39 AM

You want sth like:

group a > internet
group b > local

and vice versa?

faitrien

02-17-2014 11:03 AM

no, I just want the users in the same group to be able to manipulate the permissions of the file right now, any file created has r-- permissions. I need the files created to have r-x permissions. Don't let the group "sftp" confuse it, it can be any group the owner belongs to. From what I have managed to find I just need to change the default ACL mask for file creation in that directory to rwx but I cannot find how. Can I do that? I have another server that does do it, I just don't know how.

I have tried using the following setfacl command
setfacl -m m:: /usr/*/*/*/user1
and
setfacl -d -m m:rwx: /usr/*/*/*/user1
and variations but I still keep getting errors

GazL	02-21-2014 08:33 AM

Only the 'owner' of a file or the superuser can change its permissions. Trying to use ACLs won't help. Also, default ACLs won't override permission that aren't in the mode specified in the open() call that creates the file, so if the program creating the file doesn't specify execute permissions at creation, you're not going to be able to force the permission bit to be set by any other method.

You've only got 2 options,

Use a vfat filesystem and mount it using something like uid=whatever,gid=whatever,dmask=007,fmask=007

But that's a bit ugly.

write a cron job that runs periodically and does a recursive chmod/chown on your chosen directory. But that's also a bit ugly.

Unfortunately when the guys designed the POSIX permissions system back in the 60's they didn't think that anyone would ever want a group, rather than an individual user to 'own' a file. Sorry to be the bearer of bad news.

pedor

02-26-2014 07:08 AM

setfacl -R -d -m
To set default acl recursive

All times are GMT -5. The time now is 04:37 PM.