Read permission denied to user with ACL group permission to read

access-control-listfile-permissions

Introduction

A common scenario for a web application that it has two general folders. One filled with code which is executed by the application server, for example uwsgi, and one with static content directly delivered by the web server, for example nginx.

On a Debian server the user account for the web server is www-data while the application server normally is unique per application. This means that in the code file can have the following acl:

# file: code/main.py
# owner: user
# group: user
user::rwx
group::rwx
group:app-server:rwx
other::---

While a static file can have the following ACL:

# file: static/bootstrap.css
# owner: user
# group: user
user::rwx
group::rwx
group:app-server:rwx
group:www-data:r--
other::---

The actual question

How is it possible that a file with these permissions:

$ sudo getfacl /srv/domain/django/static_files/bootstrap/css/bootstrap.css
getfacl: Removing leading '/' from absolute path names
# file: srv/domain/django/static_files/bootstrap/css/bootstrap.css
# owner: user
# group: user
user::rwx
group::rwx
group:www-data:r--
group:app-server:rwx
group:user-organization:rwx
mask::rwx
other::---

Is not readable by www-data:

$ sudo -u www-data cat /srv/domain/django/static_files/bootstrap/css/bootstrap.css
cat: /srv/domain/django/static_files/bootstrap/css/bootstrap.css: Permission denied

When the user www-data clearly is a member of the group with the same name:

$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

In fact relinquishing all control and allowing anyone to read does nothing to help the situation:

$ sudo chmod 774 /srv/domain/django/static_files/bootstrap/css/bootstrap.css
$ sudo getfacl /srv/domain/django/static_files/bootstrap/css/bootstrap.css
getfacl: Removing leading '/' from absolute path names
# file: srv/domain/django/static_files/bootstrap/css/bootstrap.css
# owner: user
# group: user
user::rwx
group::rwx
group:www-data:r--
group:app-server:rwx
group:user-organization:rwx
mask::rwx
other::r--
$ cat /srv/domain/django/static_files/bootstrap/css/bootstrap.css
cat: /srv/domain/django/static_files/bootstrap/css/bootstrap.css: Permission denied

Changing the ownership and group of the file over to www-data with chown and chgrp doesn't change the outcome. I find nothing of interest in dmesg, messages or auth.log.

So something is going on, but I'm all out of ideas.

Best Answer

The answer lies in that the user group must have listing, or execute, permissions on every folder leading up to the folder containing the file.

In other words the solution was the following:

$ sudo setfacl -m g:www-data:X /srv/domain
$ sudo setfacl -m g:www-data:X /srv/domain/django
$ sudo setfacl -R -m g:www-data:rX /srv/domain/django/static_files
Related Topic