0

I try to give specific user(for example "test") right to read any new created directory. I do that using:

undefine@undefine-ThinkPad-T430s:~/test$ getfacl .
# file: .
# owner: undefine
# group: undefine
user::rwx
group::rwx
other::r-x

undefine@undefine-ThinkPad-T430s:~/test$ setfacl -d -m u:test:rX .
undefine@undefine-ThinkPad-T430s:~/test$ getfacl .
# file: .
# owner: undefine
# group: undefine
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:test:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

Then - when i create a new directory using mkdir command - it works fine:

undefine@undefine-ThinkPad-T430s:~/test$ mkdir testa
undefine@undefine-ThinkPad-T430s:~/test$ getfacl testa
# file: testa
# owner: undefine
# group: undefine
user::rwx
user:test:r-x
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:test:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

But - if i create a new directory forcing mode - effective rights are empty:

undefine@undefine-ThinkPad-T430s:~/test$ mkdir -m 700 testb    
undefine@undefine-ThinkPad-T430s:~/test$ getfacl testb
# file: testb
# owner: undefine
# group: undefine
user::rwx
user:test:r-x           #effective:---
group::rwx          #effective:---
mask::---
other::---
default:user::rwx
default:user:test:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

And test user can't read files within directory.

Is there any way to avoid that and give a "test" user right to read directory content regardless mode using when directory is created? I can workaround that using incron job which "fix" permissions after directory is created - but it's dirty hack and i would like to do that "right way"

Real problem i've occured in docker system, where dockerd creates itself directories within /var/lib/docker/containers directory with 0700 mode.

undefine
  • 956
  • 8
  • 20

1 Answers1

1

Do you have an example of the permissions you give the folder when you create the directory with the 'mode' flag? AFAIK, ACL permissions are combined with the 'normal' file permissions (chmod). But the file permissions supersedes the ACL permissions. I was able to replicate what you were explaining by creating a folder with ACL permissions lower than the folder permissions.

Alternatively is it an option to use umask?

test@shell-server:~$ getfacl .
# file: .
# owner: test
# group: test
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:test:r-x
default:group::r-x
default:mask::r-x
default:other::r-x

test@server:~$ mkdir -m 0100 dir3

test@server:~$ getfacl dir3/
# file: dir3/
# owner: test
# group: test
user::--x
user:test:r-x           #effective:---
group::r-x              #effective:---
mask::---
other::---
default:user::rwx
default:user:test:r-x
default:group::r-x
default:mask::r-x
default:other::r-x

Also, looking at the 'other' permissions on this folder, your 'test' user should have access to read and change into this directory (r-x)? Is this not the case?

undefine@undefine-ThinkPad-T430s:~/test$ getfacl .
# file: .
# owner: undefine
# group: undefine
user::rwx
group::rwx
other::r-x
relevantRope
  • 361
  • 1
  • 7
  • hm - there is missing mkdir command in my example - i don't know why - probably when i formated i lost it. Now i've added example. Problem is when i create a file in testb directory - i would like to read it as test user - but i can't because effective rights for testb directory are --- for "test" user. – undefine Feb 06 '19 at 21:01
  • bummer... yeah cause your file system permissions in the subfolder is more strict than the ACL permissions on the parent directory. I would imagine that adjusting the umask for the user that creates the folder won't be an option either? at the moment, adjusting the permissions afterwards is the only think I can think of right now – relevantRope Feb 07 '19 at 07:15
  • umask doesn't help - umask affects only new created files when application doesn't specify mode during creating file. Yes - fixing permissions after create using icron or cron help - but i feel that it'snt "right" solution :-) So i seek for another option. I think about separate filesystem which just doesn't support permissions (fat! ;) - but it's not "right" too. – undefine Feb 08 '19 at 09:21