Setting default umask and user:group on directory

aclchmodpermissionsumask

I have a directory data and I need to set default umask and ownership for all directories/files (both existing and future files).

I want all files in data to have ownership root:martin ans permissions 750/640

I am aware that I can use setfacl to set default umask recursively using

setfacl -R -d -m o::--- data

and that I can use setgid bit on the directory, so that all created files have ownership root:martin

chmod -R +s data

What I am not sure about is whether I should combine setgid with acl. Can I perhaps achieve the same with acl only? How would I do it? Would that solution be superior?

Best Answer

Option 1: The permissions of the files inside the directory doesn't matter, blocking at the directory level is usually enough, so chmod 2750 /path-to-dir is enough.

Option 2: Use ACLs only (chmod 2750 /path-to-dir is not necessary, but make things nicer for people not used to ACLs).

setfacl -R -b -d -m o::--- -m u::rwX -m g::rX  .

note that you could set g::rwX to achieve 770/660

Related Solutions

Why is the default umask value for useradd in openSUSE set to 022

Answering the question in your subject: OpenSuSE uses the traditional Unix umask setting, instead of the Debian-inspired one adopted by some other Linux distributions.

Editing /etc/login.defs should be sufficient to change it; this will not affect users currently logged in, nor is there any way for you to force such a change to programs that are currently running. It will also not affect users who have overridden it in their ~/.profile (or .bash_profile, .login, etc. as per their shell).

useradd is not involved with this; it is a per-process setting and the default is set during login (hence login.defs and not /etc/default/useradd).

Bash – How to recursively apply default ACLs of a directory to its descendants

I have come up with this ugly, inefficient solution but surely there's a better way:

( cd '/some/dir' && sudo find . -mindepth 1 -path './leave/alone' -prune -o \( -type d -exec bash -c 'getfacl -cd . | sed -nre "p;/^\$/!s/^/default:/p" | setfacl -bM - "{}"' \; \) -o \( -type f -exec bash -c 'getfacl -cd . | sed -re "/^#/!s/x\$/X/" | setfacl -bM - "{}"' \; \) )

Some comments about that monstrosity:

I've included a sub-directory exclusion to demonstrate that frequent requirement.
The cd eliminates the error-prone repetition of the source directory path and the outer parentheses make that change temporary.
The use of bash is needed because "-exec" doesn't allow pipelines. It also avoids that '!' character invoking history substitution and resulting in the infamous “event not found” error.
For sub-directories we must apply the source default ACLs as both access ACLs and default ACLs.
For files we must apply source default ACLs as access ACLs but apply no default ACLs at all if we wish to avoid the “Only directories can have default ACLs” warnings from setfacl.
For files we need to replace 'x' permissions from the source default ACLs with 'X' in order that we don't end up forcing all files to become executable. This solution also preserves the executable status of existing files, but only because we use “-bM -” rather than “--set-file=-” with setfacl.
This command line is very inefficient because I don't know of a way to use “-exec ... +” or xargs instead of “-exec ... \;”.
This command line works, but beware that descendant files get ACLs that are effectively equivalent but not technically equivalent to what occurs when newly creating a new descendant file.

The "Unix philosophy" is fantastic, but the task I'm trying to accomplish is needed too often for it to require such an unwieldy command line. Is there a better way aside from lobbying for additional features in setfacl?

Best Answer

Related Solutions

Why is the default umask value for useradd in openSUSE set to 022

Bash – How to recursively apply default ACLs of a directory to its descendants

Related Question