I have some ACLs defined on a directory as so:
# owner: root
# group: root
user::rwx
group::r--
mask::r-x
other::r--
default:user::r--
default:group::r--
default:mask::r-x
default:other::r--
I would like any new files created in that folder to be u:apache:r– and any new directories to be u:apache:r-x. How do I specify that intent using ACLs?
I've tried the -dm u:apache:rX
and it doesn't seem to do anything different compared to just rx
overt htdocs # getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:apache:r--
group::r--
mask::r-x
other::r--
default:user::r--
default:user:apache:r--
default:group::r--
default:mask::r--
default:other::r--
overt htdocs # setfacl -dm u:apache:rx .
overt htdocs # touch blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r-x #effective:r--
group::r--
mask::r--
other::r--
overt htdocs # rm blah.txt
overt htdocs # setfacl -dm u:apache:rX .
overt htdocs # touch blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r-x #effective:r--
group::r--
mask::r--
other::r--
The capital X permission only seems to be useful for setting current permissions, not for setting default permissions:
overt htdocs # setfacl -x u:apache blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
group::r--
mask::r--
other::r--
overt htdocs # setfacl -m u:apache:rX blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r--
group::r--
mask::r--
other::r--
Best Answer
Well, but your example does exactly what you want ;)
Look at the second one:
The important line is:
user:apache:r-x #effective:r--
Even though acl is set to r-x it is effectively r-- for files. It is because of the mask.
And the mask will be always only rw- for files if the user created it with the rw- permissions for user. (I'm not 100% sure but mask cannot be less restrictive then the basic permissions).
So effectively you get r-- for files and r-x for directories.
Because created directories will have user:r-x -> mask will be r-x -> effective permission will be r-x.
For files: they will have r-- so mask will be r-- and effective permissions for ACLs will be r--, too. (If you create a file and give it a user::r-x permissions, then mask will be modified and users form acl's will get the x, too)