We want to mimic the behavior of a system-wide 002 umask on a certain directory foo
, in order to ensure the following result:
- All sub-directories created underneath
foo
will have 775 permissions - All files created underneath
foo
and subdirectories will have 664 permissions - 1 and 2 will happen for files/dirs created by all users, including root, and all daemons.
Assuming that ACL is enabled on our partition, this is the command we came up with:
setfacl -R -d -m mask:002 foo
... but this doesn't work. New files created in the directory end up looking like:
-rw--w-r--+
When I run getfacl
on the new file, I get:
# file: newfile.py
# owner: root
# group: agroup
user::rw-
group::rwx #effective:-w-
mask::-w-
other::r--
In other words, applying a mask:200
with ACL is not the same as applying umask 200
.
So is there a way to apply a per-directory umask with an ACL?
This is a typical job for ACLs :-)
Your example
Set the permissions for the directory itself
Set the permissions for the newly created directory and files in that directory.
Test
Explanations
mask:r-x
+group:foo:rwx
=> effective permissions =r-x
)Suggestions
chmod 2755
), so you control which group can write to the file.setfacl -m group:dev_team:rwx
You can use a dnotify and script triggered each time a file is created. See: https://serverfault.com/a/127686/30946