55

I have a directory called "members" and under it there are folders/files. How can I recursively set all the current folders/files and any future ones created there to by default have 775 permissions and belong to owner/group nobody/admin respectively? I enabled ACL, mounted, but can't seem to get the setfacl command to do this properly. Any idea how to accomplish this?

Maverick
  • 1,501
  • 1
  • 11
  • 9

4 Answers4

85

I actually found something that so far does what I asked for, sharing here so anyone who runs into this issue can try out this solution:

sudo setfacl -Rdm g:groupnamehere:rwx /base/path/members/
sudo setfacl -Rm g:groupnamehere:rwx /base/path/members/

R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.

The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.

Maverick
  • 1,501
  • 1
  • 11
  • 9
  • 2
    This is exactly what I needed to get the owner of a grandparent directory to be able to properly modify the contents of new grandchild directories. – Joost Aug 18 '15 at 07:01
  • If you are the only user of your Rpi, you can replace g:groupname with pi:pi or just pi – SDsolar Mar 11 '17 at 22:30
  • You can specify for user, groups, and other in one line, e.g. `-Rdm g:groupnamehere:rwx, -Rdm u:groupnamehere:rwx`. – user2340939 Nov 27 '18 at 15:05
  • This does not set new files to 775, only directories, the files are still being uploaded to 644 – tmarois Oct 10 '20 at 21:40
23

To go with your accepted answer ...

You can combine those commands together as:

sudo setfacl -Rm d:g:groupnamehere:rwx,g:groupnamehere:rwx /base/path/members/
Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Joshua
  • 519
  • 4
  • 5
  • Thats cool. How come you set `d:` on the first item rather than `-Rmd`? I can tell that the second parameter should have no `default` -- it's just odd how linux accepts it to me. – JREAM May 02 '17 at 03:12
  • 1
    @JREAM: Linux (actually `getopt_long`) sends the whole argument to [option `-m`](https://sourcecodebrowser.com/acl/2.2.49/setfacl_8c_source.html#l00416) which is [parsed by hand](https://sourcecodebrowser.com/acl/2.2.49/setfacl_8c_source.html#l00438) by `setfacl`, [separating by commas](https://sourcecodebrowser.com/acl/2.2.49/parse_8c_source.html#l00387) the passed arguments. They are added to a linked list which is looped through at the end when actually changing the ACL. – Benoit Duffez Jun 28 '17 at 08:04
2

setfacl on linux has the -d and -k options for manipulating default permissions which are probably what you are looking for (see man for more info).

peterph
  • 171
  • 2
0

It is easy to recursively set simple UNIX permissions at upon demand of an appropriately authorized user, the permissions of directories and files. It is not possible to automatically impose this.

You could tell users to use the set the umask of 0002, and that helps to make new files at 0775 (depending on the application). But it is not enforcable.

My understanding is that ACLs are not inherited on UNIX/Linux systems. They are set upon demand.

As for file/directory ownership, you are pretty much out of luck here.

As for file/directory group ownership, by setting the directory set-gid bit (i.e. g+s on DIRECTORIES), this does cause the group ownership to be inherited.

What I have done in such situations is to execute a periodic root cron script which resets non-conforming permissions/ownerships to the standard in such directories.

Another (NOT RECOMMENDED) process is to have the same user-id be used when working on these files. This could be accomplished by the user logging into the system under his own UID, and then using sudo or su to run as the id. This still is not 100% especially concerning ACLs and permission bits.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • The right way to do this for future files is setting defaults using `setfacl` and `sgid`. `chown` changes user and optionally group ownership, `chgrp` changes group ownership and `chmod` changes mode. If retroactively changing, each of these is recursive, but it's better to use `find` with type and exec options so that you can change the directories and the files to different. sgid is the only part you got right, the rest is wrong or bad or both. The answers above have the correct information. – Jeter-work Jun 09 '22 at 21:52