Linux ACL – Using ACL with Multiple Default Groups

acllinux

I have looked though the answers to similar questions and refreshed my memory on ACLs by reading tutorials on Linux ACLs. Yet, I am still stumped. What have I done wrong, or what do I not understand?

I have a file system mounted with the acl option.

user@host:/srv$ grep srv /etc/fstab
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /srv ext4 relatime,nodev,nosuid,user_xattr,acl 0 2

The user, user, is a member of the devs group.

user@host:/srv$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),1001(devs)

The umask is normal.

user@host:/srv$ umask
0022

A directory is created; group ownership and permissions are set.

user@host:/srv$ sudo mkdir lib; sudo chmod 0750 lib && sudo chgrp www-data lib
user@host:/srv$ ls -l
total 24
drwxr-x---  2 root www-data  4096 May 21 18:00 lib
drwx------  2 root root     16384 Feb 17 18:22 lost+found
drwxr-xr-x  3 root www-data  4096 May 21 17:25 www

An ACL is applied to the new directory.

user@host:/srv$ sudo setfacl -d -m g:devs:5 lib/
user@host:/srv$ getfacl lib
# file: lib
# owner: root
# group: www-data
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:devs:r-x
default:mask::r-x
default:other::---

I think I should be able to get a directory listing, but I cannot.

user@host:/srv$ ls lib/
ls: cannot open directory lib/: Permission denied

Best Answer

Gah - facepalm! The -d switch is used for new files and directories within the lib directory. An explicit ACL must be defined for the lib directory itself.

Remove the ACLs.

user@host:/srv$ sudo setfacl -b lib
user@host:/srv$ ls -l
total 24
drwxr-x---  2 root www-data  4096 May 21 19:06 lib
drwx------  2 root root     16384 Feb 17 18:22 lost+found
drwxr-x---  3 root www-data  4096 May 21 17:25 www

Set the default ACL.

user@host:/srv$ sudo setfacl -d -m g:devs:5 lib/
user@host:/srv$ getfacl lib
# file: lib
# owner: root
# group: www-data
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:devs:r-x
default:mask::r-x
default:other::---

Test if the ACL allows members of the devs group to use ls.

user@host:/srv$ ls lib/
ls: cannot open directory lib/: Permission denied

Add a new ACL for the directory, without the -d (default) switch.

user@host:/srv$ sudo setfacl -m g:devs:5 lib/
user@host:/srv$ ls lib/
user@host:/srv$ ls -l lib/
total 0

Copy a file into the lib directory.

user@host:/srv$ sudo cp /etc/hostname lib/
user@host:/srv$ cat lib/hostname
host

Show the permissions.

user@host:/srv$ ls -l lib/
total 4
-rw-r-----+ 1 root root 6 May 21 19:15 hostname

Show the ACLs.

user@host:/srv$ getfacl lib/hostname
# file: lib/hostname
# owner: root
# group: root
user::rw-
group::r-x                      #effective:r--
group:devs:r-x                  #effective:r--
mask::r--
other::---

I am happy to receive any further insight about this.

Related Question