Home / server / Questions / 950330
In Process
undefine
Asked: 2019-01-24 00:02:48 +0800 CST

Overwrite directory creation mode using linux acl

  • 772

I try to give specific user(for example "test") right to read any new created directory. I do that using:

undefine@undefine-ThinkPad-T430s:~/test$ getfacl .
# file: .
# owner: undefine
# group: undefine
user::rwx
group::rwx
other::r-x

undefine@undefine-ThinkPad-T430s:~/test$ setfacl -d -m u:test:rX .
undefine@undefine-ThinkPad-T430s:~/test$ getfacl .
# file: .
# owner: undefine
# group: undefine
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:test:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

Then - when i create a new directory using mkdir command - it works fine:

undefine@undefine-ThinkPad-T430s:~/test$ mkdir testa
undefine@undefine-ThinkPad-T430s:~/test$ getfacl testa
# file: testa
# owner: undefine
# group: undefine
user::rwx
user:test:r-x
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:test:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

But - if i create a new directory forcing mode - effective rights are empty:

undefine@undefine-ThinkPad-T430s:~/test$ mkdir -m 700 testb    
undefine@undefine-ThinkPad-T430s:~/test$ getfacl testb
# file: testb
# owner: undefine
# group: undefine
user::rwx
user:test:r-x           #effective:---
group::rwx          #effective:---
mask::---
other::---
default:user::rwx
default:user:test:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

And test user can't read files within directory.

Is there any way to avoid that and give a "test" user right to read directory content regardless mode using when directory is created? I can workaround that using incron job which "fix" permissions after directory is created - but it's dirty hack and i would like to do that "right way"

Real problem i've occured in docker system, where dockerd creates itself directories within /var/lib/docker/containers directory with 0700 mode.

linux

1 Answers

  1. Do you have an example of the permissions you give the folder when you create the directory with the 'mode' flag? AFAIK, ACL permissions are combined with the 'normal' file permissions (chmod). But the file permissions supersedes the ACL permissions. I was able to replicate what you were explaining by creating a folder with ACL permissions lower than the folder permissions.

    Alternatively is it an option to use umask?

    test@shell-server:~$ getfacl .
# file: .
# owner: test
# group: test
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:test:r-x
default:group::r-x
default:mask::r-x
default:other::r-x

test@server:~$ mkdir -m 0100 dir3

test@server:~$ getfacl dir3/
# file: dir3/
# owner: test
# group: test
user::--x
user:test:r-x           #effective:---
group::r-x              #effective:---
mask::---
other::---
default:user::rwx
default:user:test:r-x
default:group::r-x
default:mask::r-x
default:other::r-x

    Also, looking at the 'other' permissions on this folder, your 'test' user should have access to read and change into this directory (r-x)? Is this not the case?

    undefine@undefine-ThinkPad-T430s:~/test$ getfacl .
# file: .
# owner: undefine
# group: undefine
user::rwx
group::rwx
other::r-x
    • 1