Michael Orlitzky
2012-08-05 22:16:08 UTC
I have a directory (drupal modules directory) where developers regularly
untar (or cp) archives. The contents should be rwx for the 'developers'
group, so that some other developer can update or remove the module later.
I've set default ACLs on the parent directory, and the regular default
ACLs are applied but the default mask is not. This is because tar/cp
preserve the original group permission bits -- a strategy that doesn't
make sense under a directory with default ACLs.
For an example, I'll copy /etc/profile (mode: 0644) into a directory
whose contents should be rwx to the 'apache' user via its default ACL.
gantu acl $ getfacl .
# file: .
# owner: mjo
# group: mjo
user::rwx
group::---
other::---
default:user::rwx
default:user:apache:rwx
default:group::---
default:mask::rwx
default:other::---
gantu acl $ cp /etc/profile ./
gantu acl $ getfacl profile
# file: profile
# owner: mjo
# group: mjo
user::rw-
user:apache:rwx #effective:r--
group::---
mask::r--
other::---
So, even though the directory has default:mask::rwx, newly-created files
have mask::r--. I've been searching for a while and others have run into
this problem; so far, I don't see any good solutions. Does anything come
to mind?
Initially I thought I could set developers' umasks appropriately;
however, both tar and cp ignore the umask (even with
--no-preserve=mode!) and use the source permission bits anyway.
untar (or cp) archives. The contents should be rwx for the 'developers'
group, so that some other developer can update or remove the module later.
I've set default ACLs on the parent directory, and the regular default
ACLs are applied but the default mask is not. This is because tar/cp
preserve the original group permission bits -- a strategy that doesn't
make sense under a directory with default ACLs.
For an example, I'll copy /etc/profile (mode: 0644) into a directory
whose contents should be rwx to the 'apache' user via its default ACL.
gantu acl $ getfacl .
# file: .
# owner: mjo
# group: mjo
user::rwx
group::---
other::---
default:user::rwx
default:user:apache:rwx
default:group::---
default:mask::rwx
default:other::---
gantu acl $ cp /etc/profile ./
gantu acl $ getfacl profile
# file: profile
# owner: mjo
# group: mjo
user::rw-
user:apache:rwx #effective:r--
group::---
mask::r--
other::---
So, even though the directory has default:mask::rwx, newly-created files
have mask::r--. I've been searching for a while and others have run into
this problem; so far, I don't see any good solutions. Does anything come
to mind?
Initially I thought I could set developers' umasks appropriately;
however, both tar and cp ignore the umask (even with
--no-preserve=mode!) and use the source permission bits anyway.