Setfacl incorrectly changes group permissions

aclbackuppermissions

To backup the "/home" directory tree of a server, I've created a 'backup' account and used setfacl to make the whole directory readable by it. My cron job runs this command as root each night:

setfacl -R -m u:backup:rx,d:u:backup:rx /home

Great, except for one problem: whenever I run this command, it changes the group permissions of my ssh key.

me@myserver:~/.ssh$ ls /home/me/.ssh/id_rsa -l
-rw-r-x---+ 1 me me 1679 Jan  8 18:35 /home/me/.ssh/id_rsa

Well, this causes my ssh program to barf because it is now group readable. Strangely, getfacl disagrees with the permissions.

me@myserver:~/.ssh$ getfacl /home/me/.ssh/id_rsa
getfacl: Removing leading '/' from absolute path names
# file: home/me/.ssh/id_rsa
# owner: me
# group: me
user::r--
user:backup:r-x
group::---
mask::r-x
other::---

getfacl thinks the file is not group readable. If I run the obvious command

chmod 400 id_rsa

the permission is fixed, but reverts every time I re-run the original command (setfacl -R -m u:backup:rx,d:u:backup:rx /home). What's going on?

Note: I do want my id_rsa to backup up, so let's not worry about those security implications.

Best Answer

If we have a look at the acl(5) man page, we see:

CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS

The permissions defined by ACLs are a superset of the permissions specified by the file permission bits.

There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permis‐ sions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the permissions of the ACL_OTHER_OBJ entry.

If you look at your getfacl output, you'll see that the mask is r-x, without which backup wouldn't have access to the file.

Actually, that r-x in the mode doesn't mean the me group has access to the file (it doesn't), just that someone else (user or group) may have access to it.

Still, for ssh it's the same, it's not good enough.

When you do the chmod 400, you clear the mask, which means the backup user no longer has access to it.

It's a bit confusing, but it's probably the best approach at conciliating the two permission mechanisms.

For your problem, you probably need to do your backup as root or use capabilities.

Issue #1: Rsync is dropping ACLs

After applying the ACL permissions you need to take care that when you perform your rsync that you're using either the -A or --acls switch. This instructs rsync to make sure to preserve these when doing the sync.

excerpt from rsync man page

    -A, --acls                  preserve ACLs (implies -p)

Issue #2: No ACL permissions

In looking at your example it does contain permissions as follows.

traditional perms

# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x

ACLs

default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

But these ACLs are for the creation of new objects, and don't work exactly the way you think. You need to still create an entry for user www-data in addition to the default ACL perms.

Example

$ pwd
/tmp/somedir

$ mkdir data
$ setfacl -R -d -m u:gopher:7 data

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

An experiment

Now let's try and write a file to the data directory as user gopher.

$ sudo -u gopher touch /tmp/somedir/data/afile
touch: cannot touch `/tmp/somedir/data/afile': Permission denied

Look familiar?

Adding additional ACL permissions

It's because you need to add a ACL for the user www-data, the default rules aren't for access, they're for creating new files/directories.

$ setfacl -R -m u:gopher:7 data

Now check the data directory again:

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:gopher:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

The only difference we now have a ACL saying that user gopher has rwx access:

user:gopher:rwx

Repeat the experiment

Try writing a data to the directory again:

$ sudo -u gopher touch /tmp/somedir/data/afile
$

It worked!!! Double check the resulting file:

$ ls -l /tmp/somedir/data/afile
-rw-rw-r--+ 1 gopher gopher 0 Oct  7 21:36 /tmp/somedir/data/afile

Linux – File Inheriting Permission of Directory It Is Copied In

Permissions are generally not propagated by the directory that files are being copied into, rather new permissions are controlled by the user's umask. However when you copy a file from one location to another it's a bit of a special case where the user's umask is essentially ignored and the existing permissions on the file are preserved. Understanding this concept is the key to getting what you want.

So to copy a file but "drop" its current permissions you can tell cp to "not preserve" using the --no-preserve=all switch.

Example

Say I have the following file like you.

$ mkdir -m 744 somedir

$ touch afile
$ chmod 400 afile 

$ ll
total 0
-r--------. 1 saml saml 0 Feb 14 15:20 afile

And as you've confirmed if we just blindly copy it using cp we get this:

$ cp afile somedir/
$ ls -l somedir/
total 0
-r--------. 1 saml saml 0 Feb 14 15:20 afile

Now let's repeat this but this time tell cp to "drop permissions":

$ rm -f somedir/afile 

$ cp --no-preserve=all afile somedir/

$ ls -l somedir/
total 0
-rw-rw-r--. 1 saml saml 0 Feb 14 15:21 afile

So the copied file now has its permissions set to 664, where did it get those?

$ umask
0002

If I changed my umask to something else we can repeat this test a 3rd time and see the effects that umask has on the un-preserved cp:

$ umask 037
$ rm somedir/afile 

$ cp --no-preserve=all afile somedir/
$ ls -l somedir/
total 0
-rw-r-----. 1 saml saml 0 Feb 14 15:29 afile

Notice the permissions are no longer 664, but are 640? That was dictated by the umask. It was telling any commands that create a file to disable the lower 5 bits in the permissions ... these guys: (----wxrwx).

Best Answer

CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS

Related Solutions

Debian – Using setfacl to create recursive permissions for Apache with rsync

Issue #1: Rsync is dropping ACLs

Issue #2: No ACL permissions

Example

An experiment

Adding additional ACL permissions

Repeat the experiment

Linux – File Inheriting Permission of Directory It Is Copied In

Example

Related Question