4

My aim is to allow read access to folder /var/www/mysite/ only for users in group www-data using a default ACL.

This works for a regular ACL, but not for a default ACL. Why?

This is how I did it:

I am logged on as user www-data who is in group www-data. I am in directory /var/www.

I created a directory mysite and gave it the permission 0. Then I added ACL permissions so that anyone in group www-data has read-access to directory mysite/.

$ mkdir mysite $ chmod 0 mysite $ setfacl -m g:www-data:r-x mysite $ ls -la d---------+ 2 root root 4096 Sep 6 11:16 mysite $ getfacl mysite/ # file: mysite/ # owner: root # group: root user::--- group::--- group:www-data:r-x mask::r-x other::---

At this point user www-data has access to the folder. However, if I instead add a default ACL, access is denied!

$ setfacl -m d:g:www-data:r-x mysite # <---- NOTE the default acl rule. $ ls -la d---------+ 2 root root 4096 Sep 6 11:16 mysite $ getfacl mysite/ # file: mysite/ # owner: root # group: root user::--- group::--- other::--- default:user::--- default:group::--- default:group:www-data:r-x default:mask::r-x default:other::---
Improve this question
3
  • clear all permission using setfacl -b /var/www/mysite then set using setfacl -m g:www-data:rx /var/www/mysite and let me know if any issue Commented Sep 6, 2013 at 10:44
  • This is unrelated to my problem. I need that to work with a default acl. Commented Sep 6, 2013 at 11:11
  • Be wary of the distinction between the statements "I need" and "I think I need". Some say the road to hell is paved with those differences. Commented Sep 6, 2013 at 12:42

2 Answers 2

Reset to default
1

The default ACL is the ACL that is applied to newly created files in that directory. It is also copied as the default ACL for subdirectories created under that directory, so unless you do something to override it it applied recursively.

The default ACL has no effect on the directory itself, or on any files that exist when you change the default ACL.

So in your situation you need to both set the ACL on the directory (for the directory itself) and set the default ACL (for files that you will create in the directory).

Improve this answer
1

The semantics of access control lists are complicated, excerpted here from man -s 5 acl

 1. If the effective user ID of the process matches the user ID of the file object owner, then if the ACL_USER_OBJ entry contains the requested permissions, access is granted, else access is denied. 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted, else access is denied. 3. else if the effective group ID or any of the supplementary group IDs of the process match the file group or the qualifier of any entry of type ACL_GROUP, then if the ACL contains an ACL_MASK entry, then if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain the requested permissions, access is granted, else access is denied. else (note that there can be no ACL_GROUP entries without an ACL_MASK entry) if the ACL_GROUP_OBJ entry contains the requested permis‐ sions, access is granted, else access is denied. 4. else if the ACL_OTHER entry contains the requested permissions, access is granted. 5. else access is denied.

I know I have trouble making sense of which rule applies to your particular problem. If you understood them fully, you wouldn't be asking a question here. In particular, it is hard to determine whether the user, group, or other applies, and whether the default takes precedence over the specific. Here's an example using your ACL:

$ ls -ld mysite drwxr-x---+ 2 www-data www-data 4096 Sep 6 08:22 mysite $ getfacl mysite # file: mysite # owner: www-data # group: www-data user::rwx group::r-x other::--- default:user::rwx default:group::rwx default:group:www-data:r-x default:mask::rwx default:other::r-x $ ls -l mysite total 4 -rw-rw-r--+ 1 www-data www-data 56 Sep 6 08:15 example.html

using your ACL parameters everything is fine since I'm running with www-data in my groups. But, if I change the mode on mysite/ I disable my access:

$ sudo chmod 000 mysite $ ls -ld mysite d---------+ 2 www-data www-data 4096 Sep 6 08:22 mysite $ ls mysite ls: cannot open directory mysite: Permission denied

note that I didn't change the acl at all.

On a related note, root should never, ever, never own directories that are going to be part of a web-service. Ever. Really. That's why there are unprivileged accounts and groups like www-data.

What should you do to make things work the way you think you want them to? I have no idea.

Improve this answer
2
  • 1
    Thanks for your answer. Could you elaborate on why "root should never, ever, never own directories that are going to be part of a web-service. Ever. Really." because I don't see a problem with this. Commented Sep 6, 2013 at 13:48
  • Here's what the World Wide Web Consortium has to say on the matter: w3.org/Security/Faq/wwwsf3.html Commented Sep 6, 2013 at 14:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.