I'd like to use setfacl so that anyone in group 'app' can edit any file contained within /usr/local/users/app regardless of what the traditional UNIX permissions say. I have two users john and ben. I tried to follow the instruction from another question, but john is not able to write to some files. It looks like this is because of the acl mask. However, I've set default mask on the directory of rwx, so shouldn't the files within it inherit that when created?
E.g. john cannot write to the file below, but he is a member of group 'app' which has write acls on the file so I'm surprised he can't edit the file.
ben@app1:/usr/local/users$ ls -la app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar
-rw-r--r--+ 1 ben users 38326 Apr 2 10:21 app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar
ben@app1:/usr/local/users/app$ getfacl app-1.0-SNAPSHOT/lib/
# file: app-1.0-SNAPSHOT/lib/
# owner: ben
# group: users
user::rwx
group::rwx #effective:r-x
group:app:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::rwx
default:group:app:rwx
default:mask::rwx
default:other::r-x
ben@app1:/usr/local/users$ getfacl app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar
# file: app/app-1.0-SNAPSHOT/lib/play.templates_2.10-2.1.1.jar
# owner: ben
# group: users
user::rw-
group::rwx #effective:r--
group:app:rwx #effective:r--
mask::r--
other::r--
Best Answer
You'll notice the "effective" comment that getfacl is throwing out at you. The issue is that permissions are calculating so that "app" isn't getting the write bit set. That's happening because the mask on the file is set to read-only. The mask is used to limit the amount of permissions that could possibly be given out on a particular file or directory.
An example of why you would want this behavior would be like if you knew the file could legitimately need different users/groups to have access to it but for some reason things were getting complicated with permissions and you wanted a way to say "Whatever the other default permissions are set to, whatever their group memberships are, or whatever recursive setfacl gets executed later on, DEFINITELY DON'T GIVE THIS OUT!" The owning user has a special status in the POSIX world, it has rights other users don't have, like the ability to be non-root and change permissions on a file and have its rights not be limited by the mask (which would be pointless anyways because of the first privilege the system gives them). This is why they still get rwx even though the mask is restricted.
To answer your specific question though: add the write bit to the mask on the file and try again as the
johnuser.here is a command line version of the above explanation, take note of how the "effective" rights change when all I modify is the mask.