I'm pretty sure I'm just doing something wrong, but I can't figure it out...
I have some directories I set up with the following:
sudo setfacl -dR -m u::rwX,g::rwX,o::rX,u:ubuntu:rwX,u:www-data:rwX,g:www-data:rwX .
sudo setfacl -R -m u:ubuntu:rwX,u:www-data:rwX,g:www-data:rwX .
My issue is that existing files in there suddenly get an execute flag on the group. On my test server I do the exact same thing and this doesn't happen. The only difference between this server and the test one is that I used rysnc to copy the files over and create the directories, but the command used didn't include the flags to retain permissions (-rltvz). On the test one I used scp. Results from getfacl match between the machines, too.
On the test machine, if I do touch test.txt and then run the second setfacl command (listed above) then that one file gets a group execute bit added while the rest of the files stay as they are. The existing files that stay with the same permission have the following setting:
# file: veggies.png
# owner: ubuntu
# group: www-data
user::rw-
user:www-data:rw-
user:ubuntu:rw-
group::rw-
group:www-data:rw-
mask::rw-
other::r--
The newly created file has the following settings:
# file: test.txt
# owner: ubuntu
# group: ubuntu
user::rw-
user:www-data:rwx #effective:rw-
user:ubuntu:rwx #effective:rw-
group::rwx #effective:rw-
group:www-data:rwx #effective:rw-
mask::rw-
other::r--
But ls says: -rw-rw-r--+ 1 ubuntu ubuntu 0 Feb 28 10:00 test.txt
EDIT: So, after doing a lot of reading, the issue seems to be that the second command is "recaculating the mask". You can see that the group permission is listed as 'rwx' and the mask is 'rw-' so ls shows 'rw-', but the second command recalculates the mask to 'rwx' and then it shows 'rwx' in ls. However, I'm still confused as to why touch test.txt would create a file with group 'rwx' when the first command sets the default to 'g::rwX' which should mean a regular file should have 'rw-' permission.
