ACL – Setting Default Permissions on New Files and Folders

acl

I want to set up default permission inside a folder, so that all new created folders and files have this default permission.
So I did some research and the best thread I found was this one.

So I came up with this little "test": 

#!/bin/bash

# setup folder
rm -rf ./test
mkdir ./test
cd ./test

# Reset all files/folders
sudo chmod -R 0000 ./ # delete all permissions
sudo chmod -R -st ./ # remove all special bits
sudo setfacl -Rdx u::,g::,o:: ./ # remove all default user/group permissions

# set new permissions and ownership
sudo chown -R christopher:users ./ # Set user and group for all files/folders
sudo chmod -R 550 ./ # set default permissions to all files/folders
sudo chmod 750 ./ # set folder main permission
sudo setfacl -d -m u::rx ./ # set user default permission (same as 550)
sudo setfacl -d -m g::rx ./ # set group default permission (same as 550)

# test the default permissions
nano myFile # write some data in it and save

Now I want to test it.
First with getfacl ./ what creates this output:

# file: .
# owner: christopher
# group: users
user::rwx
group::r-x
other::---
default:user::r-x
default:group::r-x
default:other::---

After this I also tried getfacl ./myFile with the following output: 

# file: myFile
# owner: christopher
# group: users
user::r--
group::r--
other::---

This is obviously not really working, so I have two questions:

  1. What am I doing wrong? The new created file myFile should have the permissions r-xr-x— like in the setfacl command specified. So why isn't this the case?
  2. This is also not working, when I set the SUID/GUID/OUID flag (sst). But I am also not really sure, how to use them because the definition says set the SUID or GUID flag on a folder will inherit its own permission to new created files within the folder. is there relly ment the permission? or only the owner user/group?
  3. Maybe you can help me fix my little script. But also if you do, there is still the problem, that I need different default permission for new created folders and also default permission for new created files. Because new created folders should always get the permission 550 while new created files should always get the permission 440. On commands like find -type a difference can be made. So I could do something like find ./ -type d -exec chmod 550 {} \; what instantly sets the permission of all folders to 550. (type f analog for files). But this is only possible on folders/files that are already created and existing. But I need some "default" permission for new created folders and files, but default permissions for both separately.

Best Answer

The permissions set by the default ACL are masked with whatever the mode is that the program creating the file gives. Usually, a program creating a regular file sets the permissions to 0666 (that is, no execute bits), and lets the umask handle removing access from group and others. For directories the mode is usually set to 0777 so that the x-bits are there, since they are often needed.

A program creating a "private" file, like SSH keys, would specify the permissions as 0600, to make sure no-one but the user themselves have access.

The manual acl(5) says that:

OBJECT CREATION AND DEFAULT ACLs

  1. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter.

So, since the ACL u:: corresponds to the usual permission bits for the file's user, the permissions are masked by what the creating program gives. (In a sense, the default ACL seems to take the place of the umask.) I suspect if you create a directory, you'll see that it does get the x-bit as you wanted.

Technically that doesn't affect ACL entries for a specific user, as in u:foo:rwx, but those are limited by the ACL mask. The mask has a correspondence with the traditional group permission bits, and it seems the rule quoted above applies also to the mask, such that the ACL mask is limited by the group permission bits set when the file is created.

Let's try: 

$ mkdir dir ; chmod 750 dir ; setfacl -d -m u::rx -m g::rx -m u:foo:rwx dir 
$ touch dir/file ; mkdir dir/subdir

The created file has the x-bits masked (getfacl here shows both the bits set and what the effective values are after applying the mask):

$ getfacl dir/file
user::r--
user:foo:rwx                    #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::---

But the directory doesn't:

$ getfacl dir/subdir/
user::r-x
user:foo:rwx
group::r-x
mask::rwx
...

That might answer (1) and (3). As for (2): IIRC, the setgid-bit (g+s) on a directory makes new files created inside it inherit the group of the directory (not the mode). The sticky bit (+t) controls deleting files not owned by you, and actually I have no idea what the setuid-bit (u+s) would do on a directory.

Related Question