Default permissions with setfacl

6

3

Just started using setfacl to assign permissions for a specific group to /var/www/html (CentOS 5). Files in this directory are 640, root:apache. However, I've noticed that after doing something like:

setfacl -R -m g:developers:rwx /var/www/html
setfacl -R -m d:g:developers:rwx /var/www/html

... ls -al shows that a newly created file's owner and group are both set to my username.

Is there a way (using setfacl) to enforce newly created files to get the permissions of the ACLs AND then set the owner:group to root:apache? Or, alternatively, is this best done through a periodic cron job that does a chown -R root.apache /var/www/html down the entire DocumentRoot? Or... am I missing something else completely?

am4

Posted 2012-06-11T14:08:10.420

Reputation: 61

Maybe it's sufficient to ensure that all files that get created are owned and writable by group developers? You could do that by setting the setgid bit on /var/www/html and using umask 002. – jjlin – 2012-06-11T21:40:20.870

1The setfacl -R -m d:g:developers:rwx /var/www/html ensures that newly created files can be modified and deleted by anyone in developers. setgid is great for allowing apache to still see the files - doing a chmod g+s on the directory forces newly created files to be owned by username:apache instead of username:username. The actual owner isn't much of a problem because the only users that should be in that directory are a) in developers or b) root. Keeping /var/www/html as 750, root:apache (with the setgid bit) ensures users outside of developers can't get into the directory. – am4 – 2012-06-12T13:41:59.453

Answers

3

Make sure new files are owned by the developers group, set g+s and set the default permissions to read, write and execute.

chown -R :developers /var/www/html
chmod -R g+s /var/www/html
setfacl -d -m g::rwx /var/www/html

Steen Schütt

Posted 2012-06-11T14:08:10.420

Reputation: 456

Asked: 2012-06-11T14:08:10.420

Viewed: 16 911 times

Active: 2016-08-06T06:34:57.167