Linux – How ACL Calculates Effective Permissions on a File

aclfileslinuxpermissions

I ran the following command to give the wheel group rwx permissions on new files and subdirectories created:

[belmin@server1]$ ls -la
total 24
drwxr-sr-x+   2 guards guards  4096 Aug 27 15:30 .
drwxr-xr-x  104 root   root   12288 Aug 27 15:19 ..

[belmin@server1]$ sudo setfacl -m d:g:wheel:rwX .

[belmin@server1]$ getfacl .
# file: .
# owner: guards
# group: guards
# flags: -s-
user::rwx
group::r-x
group:wheel:rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:wheel:rwx
default:mask::rwx
default:other::r-x

However, when I create a file as root, I am not completely clear how the effective permissions are calculated:

[belmin@server1]$ sudo touch foo

[belmin@server1]$ getfacl foo
# file: foo
# owner: root
# group: guards
user::rw-
group::r-x                      #effective:r--
group:wheel:rwx                 #effective:rw-
group:guards:rwx                #effective:rw-
mask::rw-
other::r--

Can someone elaborate on what this means?

Best Answer

effective permissions are formed by ANDing the actual (real?) permissions with the mask. Since the mask of your file is rw-, all the effective permissions have the x bit turned off.

Related Solutions

What relationships tie ACL mask and standard group permission on a file

It doesn't make sense if the unix file permissions disagree to the acl entry and vice versa. Accordingly, the manual page (acl(5)) says what you ask for:

CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS

The permissions defined by ACLs are a superset of the permissions specified by the file permission bits.

There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the permissions of the ACL_OTHER_OBJ entry.

The file owner, group, and other permissions always match the permissions of the corresponding ACL entry. Modification of the file permission bits results in the modification of the associated ACL entries, and modification of these ACL entries results in the modification of the file permission bits.

Addendum in response to the discussion:

What is the reason for coupling ACL mask and file group permissions? What logic does lay behind it?

A good explanation is here. In essence the mask is an

[...] upper bound of the permissions that any entry in the group class will grant.

This upper bound property ensures that POSIX.1 applications that are unaware of ACLs will not suddenly and unexpectedly start to grant additional permissions once ACLs are supported.

In minimal ACLs, the group class permissions are identical to the owning group permissions. In extended ACLs, the group class may contain entries for additional users or groups. This results in a problem: some of these additional entries may contain permissions that are not contained in the owning group entry, so the owning group entry permissions may differ from the group class permissions.

This problem is solved by the virtue of the mask entry. With minimal ACLs, the group class permissions map to the owning group entry permissions. With extended ACLs, the group class permissions map to the mask entry permissions, whereas the owning group entry still defines the owning group permissions. The mapping of the group class permissions is no longer constant.

Bash – Effective ACL permissions changing permissions

You can change the mask with the following command:

setfacl -m m:rwx filename/directory

Best Answer

Related Solutions

What relationships tie ACL mask and standard group permission on a file

Bash – Effective ACL permissions changing permissions

Related Question