It might be the time of night, but this is puzzling me. Picture the following.
[root@node1 acltest]# getfacl foo/
# file: foo
# owner: root
# group: testuser
user::rwx
group::r-x
other::---
[root@node1 acltest]# ls -la .
total 24
drwxr-xr-x 3 root root 4096 Feb 9 21:53 .
drwxr-xr-x 25 root root 4096 Feb 9 21:54 ..
drwxr-x--- 2 root testuser 4096 Feb 9 21:53 foo
[root@node1 acltest]# setfacl -m m::rwx foo
[root@node1 acltest]# getfacl foo/
# file: foo
# owner: root
# group: testuser
user::rwx
group::r-x
mask::rwx
other::---
[root@node1 acltest]# ls -la .
total 24
drwxr-xr-x 3 root root 4096 Feb 9 21:53 .
drwxr-xr-x 25 root root 4096 Feb 9 21:54 ..
drwxrwx---+ 2 root testuser 4096 Feb 9 21:53 foo
[root@node1 acltest]# su - testuser
[testuser@node1 ~]$ cd /acltest/foo/
[testuser@node1 foo]$ ls -la .
total 16
drwxrwx---+ 2 root testuser 4096 Feb 9 21:53 .
drwxr-xr-x 3 root root 4096 Feb 9 21:53 ..
[testuser@node1 foo]$ touch bar
touch: cannot touch `bar': Permission denied
In words: I create a directory foo
, with mode 0750
, root
as owner and testuser
as the group. (testuser
is the private group of testuser
, but that doesn't matter.)
The getfacl
command correctly shows no ACL's on this directory and there is not mask yet. The mask will be set accordingly to the group permissions if I would add a named group or user now.
If I explicitly set the mask to rwx
now, the group permissions as shown by ls
change too. I know it happens the other way around (the mask changes when the group permissions change), but this seems puzzling.
The more puzzling because the getfacl
output does not show the group permissions as rwx
but - as said - ls
does.
Which one is right? Apparently, the output of getfacl
is right, because testuser
cannot write to foo
. As expected, by the way, because I did not grant the testuser
group any permissions to do so.
It goes on. I cannot allow the testuser
group write permissions on foo
by just using chmod
. I have to explicitly set an ACL using setfacl -m g:testuser:rwx foo
to allow testuser
to finally touch foo/bar
.
Can someone explain the rationale behind the difference in the outputs of getfacl
and ls
? I know it can be tricky to have normal permissions go together with ACL's, but this seems plain wrong. (Though I expect to be missing something glaringly obvious ;))
I have already seen Why does chmod(1) on the group affect the ACL mask?
From the man(5) page of acl
and later:
This means that rwx CAN be granted on the dir, but the chmod bits have to agree with it.
I would like to add that when ACLs are used on an object, the permissions listed by ls -l is bit different.
Accoring to man ACL(5):
So when using ACLs you should consider the group permission section of ls -l output as the ACL mask .