Linux – How to set Linux Default ACLs differently for directories and files

I have some ACLs defined on a directory as so:

# owner: root
# group: root
user::rwx
group::r--
mask::r-x
other::r--
default:user::r--
default:group::r--
default:mask::r-x
default:other::r--

I would like any new files created in that folder to be u:apache:r– and any new directories to be u:apache:r-x. How do I specify that intent using ACLs?

I've tried the -dm u:apache:rX and it doesn't seem to do anything different compared to just rx

overt htdocs # getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:apache:r--
group::r--
mask::r-x
other::r--
default:user::r--
default:user:apache:r--
default:group::r--
default:mask::r--
default:other::r--

overt htdocs # setfacl -dm u:apache:rx .
overt htdocs # touch blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r-x                 #effective:r--
group::r--
mask::r--
other::r--

overt htdocs # rm blah.txt
overt htdocs # setfacl -dm u:apache:rX .
overt htdocs # touch blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r-x                 #effective:r--
group::r--
mask::r--
other::r--

The capital X permission only seems to be useful for setting current permissions, not for setting default permissions:

overt htdocs # setfacl -x u:apache blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
group::r--
mask::r--
other::r--

overt htdocs # setfacl -m u:apache:rX blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r--
group::r--
mask::r--
other::r--

overt htdocs # setfacl -dm u:apache:rx . overt htdocs # touch blah.txt overt htdocs # getfacl blah.txt # file: blah.txt # owner: root # group: root user::r-- user:apache:r-x #effective:r-- group::r-- mask::r-- other::r--

Best Answer

Well, but your example does exactly what you want ;)

Look at the second one:

The important line is:

user:apache:r-x #effective:r--

Even though acl is set to r-x it is effectively r-- for files. It is because of the mask.

And the mask will be always only rw- for files if the user created it with the rw- permissions for user. (I'm not 100% sure but mask cannot be less restrictive then the basic permissions).

So effectively you get r-- for files and r-x for directories.
Because created directories will have user:r-x -> mask will be r-x -> effective permission will be r-x.
For files: they will have r-- so mask will be r-- and effective permissions for ACLs will be r--, too. (If you create a file and give it a user::r-x permissions, then mask will be modified and users form acl's will get the x, too)

Best Answer

Related Solutions

Windows – Samba SGID directories and delegation of privileges

Linux – Force SFTP/SCP to copy files with a remote directory’s permission

Related Topic