I want to set up default permission inside a folder, so that all new created folders and files have this default permission.
So I did some research and the best thread I found was this one.
So I came up with this little "test":
#!/bin/bash
# setup folder
rm -rf ./test
mkdir ./test
cd ./test
# Reset all files/folders
sudo chmod -R 0000 ./ # delete all permissions
sudo chmod -R -st ./ # remove all special bits
sudo setfacl -Rdx u::,g::,o:: ./ # remove all default user/group permissions
# set new permissions and ownership
sudo chown -R christopher:users ./ # Set user and group for all files/folders
sudo chmod -R 550 ./ # set default permissions to all files/folders
sudo chmod 750 ./ # set folder main permission
sudo setfacl -d -m u::rx ./ # set user default permission (same as 550)
sudo setfacl -d -m g::rx ./ # set group default permission (same as 550)
# test the default permissions
nano myFile # write some data in it and save
Now I want to test it.
First with getfacl ./
what creates this output:
# file: .
# owner: christopher
# group: users
user::rwx
group::r-x
other::---
default:user::r-x
default:group::r-x
default:other::---
After this I also tried getfacl ./myFile
with the following output:
# file: myFile
# owner: christopher
# group: users
user::r--
group::r--
other::---
This is obviously not really working, so I have two questions:
- What am I doing wrong? The new created file
myFile
should have the permissions r-xr-x— like in the setfacl command specified. So why isn't this the case? - This is also not working, when I set the SUID/GUID/OUID flag (sst). But I am also not really sure, how to use them because the definition says
set the SUID or GUID flag on a folder will inherit its own permission to new created files within the folder
. is there relly ment the permission? or only the owner user/group? - Maybe you can help me fix my little script. But also if you do, there is still the problem, that I need different default permission for new created folders and also default permission for new created files. Because new created folders should always get the permission 550 while new created files should always get the permission 440. On commands like
find -type
a difference can be made. So I could do something likefind ./ -type d -exec chmod 550 {} \;
what instantly sets the permission of all folders to 550. (type f
analog for files). But this is only possible on folders/files that are already created and existing. But I need some "default" permission for new created folders and files, but default permissions for both separately.
Best Answer
The permissions set by the default ACL are masked with whatever the mode is that the program creating the file gives. Usually, a program creating a regular file sets the permissions to
0666
(that is, no execute bits), and lets theumask
handle removing access from group and others. For directories the mode is usually set to0777
so that the x-bits are there, since they are often needed.A program creating a "private" file, like SSH keys, would specify the permissions as
0600
, to make sure no-one but the user themselves have access.The manual
acl(5)
says that:So, since the ACL
u::
corresponds to the usual permission bits for the file's user, the permissions are masked by what the creating program gives. (In a sense, the default ACL seems to take the place of the umask.) I suspect if you create a directory, you'll see that it does get thex
-bit as you wanted.Technically that doesn't affect ACL entries for a specific user, as in
u:foo:rwx
, but those are limited by the ACL mask. The mask has a correspondence with the traditional group permission bits, and it seems the rule quoted above applies also to the mask, such that the ACL mask is limited by the group permission bits set when the file is created.Let's try:
The created file has the x-bits masked (
getfacl
here shows both the bits set and what the effective values are after applying the mask):But the directory doesn't:
That might answer (1) and (3). As for (2): IIRC, the setgid-bit (
g+s
) on a directory makes new files created inside it inherit the group of the directory (not the mode). The sticky bit (+t
) controls deleting files not owned by you, and actually I have no idea what the setuid-bit (u+s
) would do on a directory.