Reputation: 5602
How do ACLs influence ls / stat() results?
Why would a directory show drwxrwxr-x+ when there is no group-writable bit?
Let's give one extra user (john) rwx permission on a directory, like so:
$ mkdir logfiles
$ setfacl -m user:john:rwx logfiles
$ getfacl -ce logfiles
user::rwx
user:john:rwx #effective:rwx
group::r-x #effective:r-x
mask::rwx
other::r-x
That's just how I want things, and john now has access equivalent to the directory owner. However,
$ ls -ld logfiles
drwxrwxr-x+ 2 bob users 4096 Mar 6 22:38 logfiles
$ find -perm +020 -ls
8197 4 drwxrwxr-x 2 bob users 4096 Mar 6 22:38 ./logfiles
No group has write permission, but the output of ls and the matching result from find would suggest otherwise. This is coming directly from the st_mode field of the lstat(2) system call; why is the S_IWGRP bit being set?
Upvotes: 4
Views: 1605
Answers (2)
Reputation: 6382
Once POSIX ACLs is activated for a given file or directory. The group class permission mode is no longer the group permission, it is in fact the mask ACL entry (not related to umask). So now because your file has POSIX ACL extensions (as can be seen by the + suffix in ls -l), that rwx shown by ls, stat and find is not actually the group class permission mode anymore. Modifying the group class permission mode with chmod also only changes the mask, and does not change the real group class permission mode. This means the only way for you to change the group class permission mode is by using setfacl.
The mask ACL entry appears to be the maximum possible permissions for all ACL entries that is "assigned" the group class. This includes named users, named groups and the owning group. It does not include the owning user and the other classes. This can limit the assigned permissions for any named user, named group or the owning group. For maximum flexibility, set the mask to rwx, then set named user, named group and owning group permissions at your discretion. This will all work for things like cd, ls and other stuff. However this does mean when using ls, or stat.. etc, they will all show rwx for the group class, even though that is not true.
Why is this mask here? What purpose does it solve? It seems that the mask was here for backwards compatibility with programs that don't understand POSIX ACLs. What happens if a program that doesn't understand POSIX ACLs and sees rwx in the group class (and in reality it's actually the mask), does it succeed in accessing the directory/file or not? (I do not know the answer to this question). I think this is really weird quirk, and should probably be removed. But that's how POSIX ACLs work.
Upvotes: 2
Reputation: 16399
Here may lie your answer -- ACL propagation:
http://users.suse.com/~agruen/acl/linux-acls/online/
Some filesytems allow it as a mount option. I do not know what filesystem you have, so this may be a poor answer.
Upvotes: 1
Related Questions
- lstat and ls permissions output is somehow differs
- Get files access permissions using stat() in C
- Does the Posix "access" syscall take ACLs into consideration?
- stat() giving wrong information
- File stat() vs access() to check permissions on a directory
- Understanding Linux directory permissions reasoning
- Why do file permissions show different in Python and bash?
- ACL on the directory itself
- setfacl: about the options
- POSIX ACLs and the 'sticky' bit applied to a directory