ACL Modified Files – Why No Read Access?

acl

My aim is to allow read access to folder /var/www/mysite/ only for users in group www-data using a default ACL.

This works for a regular ACL, but not for a default ACL. Why?

This is how I did it:

I am logged on as user www-data who is in group www-data. I am in directory /var/www.

I created a directory mysite and gave it the permission 0. Then I added ACL permissions so that anyone in group www-data has read-access to directory mysite/.

$ mkdir mysite
$ chmod 0 mysite
$ setfacl -m g:www-data:r-x mysite
$ ls -la
d---------+  2 root root 4096 Sep  6 11:16 mysite
$ getfacl mysite/
# file: mysite/
# owner: root
# group: root
user::---
group::---
group:www-data:r-x
mask::r-x
other::---

At this point user www-data has access to the folder. However, if I instead add a default ACL, access is denied!

$ setfacl -m d:g:www-data:r-x mysite # <---- NOTE the default acl rule.
$ ls -la
d---------+  2 root root 4096 Sep  6 11:16 mysite
$ getfacl mysite/
# file: mysite/
# owner: root
# group: root
user::---
group::---
other::---
default:user::---
default:group::---
default:group:www-data:r-x
default:mask::r-x
default:other::---

Best Answer

The default ACL is the ACL that is applied to newly created files in that directory. It is also copied as the default ACL for subdirectories created under that directory, so unless you do something to override it it applied recursively.

The default ACL has no effect on the directory itself, or on any files that exist when you change the default ACL.

So in your situation you need to both set the ACL on the directory (for the directory itself) and set the default ACL (for files that you will create in the directory).

Issue #1: Rsync is dropping ACLs

After applying the ACL permissions you need to take care that when you perform your rsync that you're using either the -A or --acls switch. This instructs rsync to make sure to preserve these when doing the sync.

excerpt from rsync man page

    -A, --acls                  preserve ACLs (implies -p)

Issue #2: No ACL permissions

In looking at your example it does contain permissions as follows.

traditional perms

# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x

ACLs

default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

But these ACLs are for the creation of new objects, and don't work exactly the way you think. You need to still create an entry for user www-data in addition to the default ACL perms.

Example

$ pwd
/tmp/somedir

$ mkdir data
$ setfacl -R -d -m u:gopher:7 data

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

An experiment

Now let's try and write a file to the data directory as user gopher.

$ sudo -u gopher touch /tmp/somedir/data/afile
touch: cannot touch `/tmp/somedir/data/afile': Permission denied

Look familiar?

Adding additional ACL permissions

It's because you need to add a ACL for the user www-data, the default rules aren't for access, they're for creating new files/directories.

$ setfacl -R -m u:gopher:7 data

Now check the data directory again:

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:gopher:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

The only difference we now have a ACL saying that user gopher has rwx access:

user:gopher:rwx

Repeat the experiment

Try writing a data to the directory again:

$ sudo -u gopher touch /tmp/somedir/data/afile
$

It worked!!! Double check the resulting file:

$ ls -l /tmp/somedir/data/afile
-rw-rw-r--+ 1 gopher gopher 0 Oct  7 21:36 /tmp/somedir/data/afile

What relationships tie ACL mask and standard group permission on a file

It doesn't make sense if the unix file permissions disagree to the acl entry and vice versa. Accordingly, the manual page (acl(5)) says what you ask for:

CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS

The permissions defined by ACLs are a superset of the permissions specified by the file permission bits.

There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the permissions of the ACL_OTHER_OBJ entry.

The file owner, group, and other permissions always match the permissions of the corresponding ACL entry. Modification of the file permission bits results in the modification of the associated ACL entries, and modification of these ACL entries results in the modification of the file permission bits.

Addendum in response to the discussion:

What is the reason for coupling ACL mask and file group permissions? What logic does lay behind it?

A good explanation is here. In essence the mask is an

[...] upper bound of the permissions that any entry in the group class will grant.

This upper bound property ensures that POSIX.1 applications that are unaware of ACLs will not suddenly and unexpectedly start to grant additional permissions once ACLs are supported.

In minimal ACLs, the group class permissions are identical to the owning group permissions. In extended ACLs, the group class may contain entries for additional users or groups. This results in a problem: some of these additional entries may contain permissions that are not contained in the owning group entry, so the owning group entry permissions may differ from the group class permissions.

This problem is solved by the virtue of the mask entry. With minimal ACLs, the group class permissions map to the owning group entry permissions. With extended ACLs, the group class permissions map to the mask entry permissions, whereas the owning group entry still defines the owning group permissions. The mapping of the group class permissions is no longer constant.