Problems with ACLs
Patrik Jansson
fbsd at aleborg.se
Wed Oct 11 01:18:32 PDT 2006
I'm trying to set default ACLs on a directory to restrict access to a
directory and every file/directory created within this directory to two
users.
I have used this website to get a grip of how it works:
http://www.onlamp.com/pub/a/bsd/2003/08/14/freebsd_acls.html
Following that example:
# setfacl -d -m u::rwx,g::rwx,o::---,u:apache:rwx,u:web26124:rwx test
# setfacl -m u::rwx,g::rwx,o::---,u:apache:rwx,u:web26124:rwx test
# cd test
# touch file.txt
# getfacl file.txt
#file:file.txt
#owner:0
#group:1003
user::rw-
user:apache:rwx # effective: r--
user:web26124:rwx # effective: r--
group::rwx # effective: r--
mask::r--
other::---
Looks fine to me.
So now I have a PHP script (runs as apache) that creates a directory
(inside this directory I have just set default ACLs for) and a file
within it:
# getfacl dir/file
#file:dir/file
#owner:1004
#group:1003
user::rw-
user:apache:rwx # effective: r--
user:web26124:rwx # effective: r--
group::rwx # effective: r--
mask::r--
other::---
And then I try to remove the file as web26124:
$ whoami
web26124
$ rm dir/file
override rw-r----- apache/apache for dir/file? yes
rm: dir/file: Permission denied
Files that are created in the directory where I have set default ACLs is
removable by web26124 but not files that are created in the subdirectory.
# ls -alF
total 16
drwxrwx---+ 3 web26124 apache 512 Oct 11 10:14 ./
drwxr-xr-x 4 web26124 apache 512 Oct 11 10:01 ../
-rw-r--r--+ 1 root apache 64 Oct 11 10:14 create.php
drwxr-x---+ 2 apache apache 512 Oct 11 10:13 dir/ <- Files inside
this directory is NOT removable
-rw-r-----+ 1 apache apache 0 Oct 11 10:13 file3 <- Removable
What's wrong?
More information about the freebsd-questions
mailing list