Default ACL Inheritance Question
A bit of a minor off-topic issue, but on the off-chance that someone understands how ACLs work …
I’ve been trying to see if using default ACLs would help with the following issue:
I have a third party application that is running as a non-root user
(‘user-a’) and creating log files with mode 0600 (read/write only to the owner) in a log directory
I have another application that runs as another non-root user (‘user-b’)
that needs to read the log files created by ‘user-a’
I can’t change the mode of the log files generated by ‘user-a’, but I
thought I could add a default ACL to the log file’s parent directory that gave read access to ‘user-b’ – i.e. something like:
% sudo setfacl -d -m u:user-b:r logdir
% getfacl logdir
# file: logdir
# owner: user-a
# group: user-a user::rwx group::r-x other::r-x default:user::rwx default:user:user-b:r
2 thoughts on - Default ACL Inheritance Question
Look at the acl(5) man page and you’ll see that the ACCESS CHECK
ALGORITH starts:
IF the effective user ID of the process matches the user ID of the file object owner …
ELSE IF the effective user ID of the process matches the qualifier of any entry of type ACL_USER,
THEN
IF the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
ELSE access is denied. ELSE …
The effective user ID is. This matches an ACL_USER entry
(user:user-b:r–) so therefore consider the ACL_MASK. It is “—” so does NOT contain the requested permission, and therefore access is denied.
Right, now we know why access is refused. Cast your eyes slightly further up the man page to OBJECT CREATION AND DEFAULT ACLS. Point 1
states that the object inherits the default ACL of the containing directory as its access ACL. So far so good, but point 2 states that the “file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter”. What I suspect is happening is that the mode parameter is set during file creation and so the mask is cleared to ensure that the creator’s wish overrides the directory default.
You need to either investigate the application (difficult, long winded), contact support (good luck), or find a way to live with it. Sudo is one solution, another is a script that does a setfacl -m m::rx logfile.
HTH,
Martin
—
J Martin Rushton MBCS
Thanks – that seems to make sense
I guess I was being over optimistic thinking default ACLs could help here :-)
Thanks
James Pearson
J Martin Rushton via CentOS wrote: