Home / server / Questions / 489152
Accepted
hendry
Asked: 2013-03-19 23:42:44 +0800 CST

setfacl not working on my Web directory

  • 772

On Debian 7.0 I've setup filesystem access control lists on my mount

mx:/srv/www$ mount | grep acl
/dev/xvda on / type ext3 (rw,relatime,errors=remount-ro,acl,data=ordered)

Now I simply want newly created files and dirs to have the www-data group.

sudo setfacl -Rm d:g:www-data:rX,g:www-data:rX /srv/www/

Now it has the settings:

mx:/srv/www$ getfacl .                                                                                                                                                    
# file: .
# owner: hendry
# group: root
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:www-data:r-x
default:mask::r-x
default:other::r-x

To test, I did a:

mx:/srv/www$ touch test
mx:/srv/www$ ll test
-rw-r--r--+ 1 hendry hendry 0 Mar 19 07:25 test

I was expecting to see hendry:www-data upon the newly created file test. What am I missing?

debian

1 Answers

  1. Best Answer

    Try running:

    $ getfacl test

    You should see something that look like:

    # file: test
# owner: hendry
# group: hendry
user::rwx          #effective: rw-
group::r-x         #effective: r--
group:www-data:r-x #effective: r--
mask::r-x
other::r--

    I might have gotten some things wrong here, but the main point is that group:www-data:r-x should exist. That's what the default:group:$gid:rwx syntax does -- it makes sure a group:$gid:rwx ACL entry exists on the create object.

    If you want your created files/directories/fifos/etc to be owned by the group, you have to make the directory owned by the www-data group, and set the setgid flag:

    $ chown :www-data /srv/www
$ chmod g+s /srv/www
    • 2