File ACL mask calculation: why

access-control-list

I'm trying to set up a proper ACL permission model on a shared directory using ACLs, but I'm having problems. Even though I've set a default "user:user1:rwx", files created by user2 are not writable by user1, because of the mask calculation. It says effective is "r–".

According to the man page, the mask is calculated by doing a union of the owning group, other named groups and named users. Only permissions that all of these have, will be enabled in the mask (the union part).

But why? If it does that, how can I just say "user user1 can read and write, always"?

Plus, user1 can't write to files created by user2, but it can delete them…

Edit: clarification:

This is the current acl of a directory in question:

# file: NNHD/
# owner: user1
# group: user1
user::rwx
user:user1:rwx
user:user2:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:user1:rwx
default:user:user2:rwx
default:group::rwx
default:mask::rwx
default:other::---

This has proper masks.

When user2 creates a file in that directory, it is given this:

# file: test
# owner: user2
# group: user2
user::rw-
user:user1:rwx                  #effective:r--
user:user2:rwx                  #effective:r--
group::rwx                      #effective:r--
mask::r--
other::---

I don't understand why that happens… What must I do to make it writable for user1?

Best Answer

I'm fairly new to ACL on unix, but I think you have made a logical error. You state the following "According to the man page, the mask is calculated by doing a union of the owning group" but in your ACL settings you have the rule "group::r-x" and "mask::rwx" that makes the mask "r-x" && "rwx" = "r-x" on new files created in that directory.

The above also explains why it only affect user1, as "group::r-x" are the group of the owner (user1). You only need write permissions to the folder, not the file, for deletion in linux.

Most application in linux creates files with "rw-" permission, like touch for example. So that's probably how it went from "r-x" && "rw-" = "r--" in the end.

So the obvious would be if you want user read+write permissions to the files in the folder you must set both group and mask to rw

Me landing on this site was a google search for disabling the auto calculation of masks in ACL, but guess I'm out of luck. This answer might be of use for other googlers :)

Related Topic