Home / server / Questions / 223733
In Process
Halfgaar
Asked: 2011-01-19 03:47:03 +0800 CST

File ACL mask calculation: why?

  • 772

I'm trying to set up a proper ACL permission model on a shared directory using ACLs, but I'm having problems. Even though I've set a default "user:user1:rwx", files created by user2 are not writable by user1, because of the mask calculation. It says effective is "r--".

According to the man page, the mask is calculated by doing a union of the owning group, other named groups and named users. Only permissions that all of these have, will be enabled in the mask (the union part).

But why? If it does that, how can I just say "user user1 can read and write, always"?

Plus, user1 can't write to files created by user2, but it can delete them...

Edit: clarification:

This is the current acl of a directory in question:

# file: NNHD/
# owner: user1
# group: user1
user::rwx
user:user1:rwx
user:user2:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:user1:rwx
default:user:user2:rwx
default:group::rwx
default:mask::rwx
default:other::---

This has proper masks.

When user2 creates a file in that directory, it is given this:

# file: test
# owner: user2
# group: user2
user::rw-
user:user1:rwx                  #effective:r--
user:user2:rwx                  #effective:r--
group::rwx                      #effective:r--
mask::r--
other::---

I don't understand why that happens... What must I do to make it writable for user1?

access-control-list

3 Answers

  1. I'm fairly new to ACL on unix, but I think you have made a logical error. You state the following "According to the man page, the mask is calculated by doing a union of the owning group" but in your ACL settings you have the rule "group::r-x" and "mask::rwx" that makes the mask "r-x" && "rwx" = "r-x" on new files created in that directory.

    The above also explains why it only affect user1, as "group::r-x" are the group of the owner (user1). You only need write permissions to the folder, not the file, for deletion in linux.

    Most application in linux creates files with "rw-" permission, like touch for example. So that's probably how it went from "r-x" && "rw-" = "r--" in the end.

    So the obvious would be if you want user read+write permissions to the files in the folder you must set both group and mask to rw

    Me landing on this site was a google search for disabling the auto calculation of masks in ACL, but guess I'm out of luck. This answer might be of use for other googlers :)

    • 3

  2. (I'm assuming you're on Linux here)

    You can set the mask explicitly with ACLs in a similar way to how you set the ACLs themselves using setfacl m::mask

    eg:

    jim@abox:/tmp$ getfacl temp/
# file: temp/
# owner: jim
# group: jim
user::rwx
user:admin:rwx
group::r-x
mask::rwx
other::r-x

jim@abox:/tmp$ setfacl -R -m m::rx temp/
jim@abox:/tmp$ getfacl temp/
# file: temp/
# owner: jim
# group: jim
user::rwx
user:admin:rwx                #effective:r-x
group::r-x
mask::r-x
other::r-x
    • 0

  3. I tested your example and got a different result. Here are the commands and output I did.

    sudo adduser user1
sudo adduser user2
sudo -i -u user1 #basically the same thing as sudo su user1
mkdir /tmp/NNHD
setfacl --set user::rwx,user:user1:rwx,user:user2:rwx,group::r-x,mask:rwx,other::---,default:user::rwx,default:user:user1:rwx,default:user:user2:rwx,default:group::rwx,default:mask::rwx,default:other::--- /tmp/NNHD

getfacl /tmp/NNHD

Output:

getfacl: Removing leading '/' from absolute path names
# file: tmp/NNHD
# owner: user1
# group: user1
user::rwx
user:user1:rwx
user:user2:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:user1:rwx
default:user:user2:rwx
default:group::rwx
default:mask::rwx
default:other::---


exit
sudo -i -u user2 #basically the same thing as sudo su user2
touch /tmp/NNHD/test
getfacl /tmp/NNHD/test

Output:

getfacl: Removing leading '/' from absolute path names
# file: tmp/NNHD/test
# owner: user2
# group: user2
user::rw-
user:user1:rwx          #effective:rw-
user:user2:rwx          #effective:rw-
group::rwx          #effective:rw-
mask::rw-
other::---


ls -l /tmp/NNHD/test

Output:

-rw-rw----+ 1 user2 user2 0 Sep  6 15:14 /tmp/NNHD/test

    ---- begin code to clean up and undo our changes ----

    exit
sudo deluser --remove-home user1
#sudo groupdel user1 #Despite getting a warning about group user1 has no more members, the group seems to get deleted on its own when removing the user, so deleting the group manually is unnecessary.

sudo deluser --remove-home user2
#sudo groupdel user1 #Despite getting a warning about group user2 has no more members, the group seems to get deleted on its own when removing the user, so deleting the group manually is unnecessary.

sudo rm -r /tmp/NNHD

    ---- end code to clean up and undo our changes ----

    The output I got when doing /getfacl /tmp/NNHD/test makes more sense to me, because https://linux.die.net/man/5/acl says that when creating a file in a directory that has a default ACL, this is how the ACL on the new file is generated:

    1. The new object inherits the default ACL of the containing directory as its access ACL.
    2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter.

    So, after step 1, every permission on NNHD/test would be rwx except other would be ---. Touch by default sets new files to rw-rw-rw permissions though, so after step 2, user::rw- makes sense since the user can't have more than rw-. I'm brand new to access control lists (and so maybe everything I'm saying is wrong) and I'm not sure exactly why group::rwx is what it is. I would have thought step 2 would have changed group:: to rw- just like step 2 set user:: to rw-. I would guess that step 2 just modifies the mask instead of modifying group::, but I'm not sure.

    • 0