Ubuntu – Discrepancy with the output of `ls -al` and `getfacl`

18.04aclchmod

I have run the following script to set permissions into /etc/nginx

#!/usr/bin/env bash

sudo chown -R root:root /etc/nginx
sudo chmod -R 0750 /etc/nginx
sudo setfacl -Rbk -m g:hugo:rwx /etc/nginx
sudo setfacl -R --mask -m g:www-data:rx /etc/nginx

However, when I check the permissions afterwards there is a discrepancy in the results for the 'group' of ls -al and getfacl

$ ls -al /etc/nginx
total 24
drwxrwx---+   5 root root 4096 Mar 18 17:07 .

$ getfacl /etc/nginx
getfacl: Removing leading '/' from absolute path names
# file: etc/nginx
# owner: root
# group: root
user::rwx
group::r-x
group:www-data:r-x
group:hugo:rwx
mask::rwx
other::---

Why?

Best Answer

What you see with ls is the mask entry of the ACL. From man setfacl, the mask entry seems to reflect the maximum possible permissions that can be set on an ACL entry.

the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry

The access rights you see in your example with ls for the default group root:rwx are wrong as the effective rights are now controlled by the ACLs.

Related Question