Join Log in
Score:0
bobsoap avatar Server

Giving execute permission on folder with ACL makes files executable, too

kr flag
bobsoap

I have a folder, owned by the "website user" foo, that will host a site:

$ sudo mkdir foo
$ sudo chown -R foo:foo
$ sudo chmod -R u=rwX,g=rX,o= foo
$ sudo chmod -R g+s foo
$ ls -la

drwxr-s--- ... foo foo ... foo

I add Nginx (my server) to the foo group, but I don't want Nginx to be able to write, so I set the group permission to rX.

I set a default ACL. I want all new files to have these permissions by default:

$ sudo setfacl -Rm d:u::rwX foo
$ getfacl foo

user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:other::---

I make extra sure to use rwX, since I want directories to be traversable, but not make files executable by default.

Now, Alice and Bob want to work on some stuff in there, so I add them both to the foo group:

$ sudo usermod -aG foo bob
$ sudo usermod -aG foo alice

I give Bob access. I want to add ACL overrides so Alice and Bob, as human users in the foo group, are able to write. Bob first:

$ sudo setfacl -Rm u:bob:rwX,d:u:bob:rwX foo
$ getfacl foo

user::rwx
user:bob:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:bob:rwx
default:group::r-x
default:mask::rwx
default:other::---

Bob tests his newfound god powers:

$ touch foo/bobfile
$ ls -la foo

drwxrws---+ ... foo  foo  ... .
drwxr-xr-x  ... root root ... ..
-rw-rw----+ ... bob  foo  ... bobfile

I note dutifully that ls now shows bobfile as having group write permissions, but I know that's only because ls represents the highest available permission that applies to at least one entity, not "what everybody has by default".

I give Alice access. I want her to have the same permissions as Bob:

$ sudo setfacl -Rm u:alice:rwX,d:u:alice:rwX foo
$ getfacl foo

user::rwx
user:bob:rwx
user:alice:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:bob:rwx
default:user:alice:rwx
default:group::r-x
default:mask::rwx
default:other::---

Now Alice can execute Bob's file. Huh?

$ ls -la foo

drwxrws---+ ... foo  foo  ... .
drwxr-xr-x  ... root root ... ..
-rw-rwx---+ ... bob  foo  ... bobfile

Indeed, Alice can now execute foo/bobfile. Meanwhile, owner Bob cannot execute his own file (as it should be).

To make things weirder, if Alice creates a new file now, she can't execute it either - only bobfile, which was already there when her ACL was added.

Neither can Bob edit Alice's file, which, again, is as it should be.

I seem to be misunderstanding two things:

  1. The significance of x vs. X, at least when it comes to ACLs. Why is Alice getting execute permissions on the existing file here?

  2. The significance of ACL default vs. non-default rules, since adding an ACL entry with X makes existing files executable, but not new files.

What would be the correct command to achieve the intended result?

357
0 + 1
ua flag
Tim Tisdall
Some quick Google searches seem to indicate that there's no binary encoding for `X` so for `setfacl` it's stored the same as `x`. It seems like `X` is a shortcut with `chmod` so you can do `chmod g+X *` and it will add an `x` to the group permission for directories or files that already have an `x` permission but not touch files that don't have an `x` elsewhere.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.