Debian – Using setfacl to create recursive permissions for Apache with rsync

acldebianpermissionsrsync

I have a Dokuwiki installation locally, which I regularly sync to my server with rsync. I'm also going to give a friend of mine an ssh account, and host his public Dokuwiki installation. However, I'm having a problem with access permissions – even though the mirror is read-only, Dokuwiki still needs write-permissions to the data directory for cache etc. The Apache server runs as user www-data, and every time I do a rsync, it resets permissions.

Based on some other answers on this site, I tried using setfacl to set default permissions, but it doesn't seem to work – getfacl indicates that the permissions exist, but Dokuwiki won't run, and when I try to write a file as user www-data, it also doesn't work. What am I missing?

wiki/data$ sudo su www-data
$ pwd
/var/www/wiki/data
$ whoami
www-data
$ touch hi
touch: cannot touch `hi': Permission denied
$ getfacl /var/www/wiki/data
getfacl: Removing leading '/' from absolute path names
# file: var/www/wiki/data
# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Here's the command I used to set the permissions:

setfacl -R -d -m u:www-data:7 /var/www/*

Best Answer

Issue #1: Rsync is dropping ACLs

After applying the ACL permissions you need to take care that when you perform your rsync that you're using either the -A or --acls switch. This instructs rsync to make sure to preserve these when doing the sync.

excerpt from rsync man page

    -A, --acls                  preserve ACLs (implies -p)

Issue #2: No ACL permissions

In looking at your example it does contain permissions as follows.

traditional perms

# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x

ACLs

default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

But these ACLs are for the creation of new objects, and don't work exactly the way you think. You need to still create an entry for user www-data in addition to the default ACL perms.

Example

$ pwd
/tmp/somedir

$ mkdir data
$ setfacl -R -d -m u:gopher:7 data

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

An experiment

Now let's try and write a file to the data directory as user gopher.

$ sudo -u gopher touch /tmp/somedir/data/afile
touch: cannot touch `/tmp/somedir/data/afile': Permission denied

Look familiar?

Adding additional ACL permissions

It's because you need to add a ACL for the user www-data, the default rules aren't for access, they're for creating new files/directories.

$ setfacl -R -m u:gopher:7 data

Now check the data directory again:

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:gopher:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

The only difference we now have a ACL saying that user gopher has rwx access:

user:gopher:rwx

Repeat the experiment

Try writing a data to the directory again:

$ sudo -u gopher touch /tmp/somedir/data/afile
$

It worked!!! Double check the resulting file:

$ ls -l /tmp/somedir/data/afile
-rw-rw-r--+ 1 gopher gopher 0 Oct  7 21:36 /tmp/somedir/data/afile