ACLs, umask and shared directories
Rob
listone at deathbeforedecaf.net
Mon Mar 8 13:02:53 UTC 2010
Hi Folks,
I need to give a group of users write access to a shared directory. The problem is, when one user creates a file,
www1$ touch file1
www1$ ll
total 8
drwxrwxr-x 2 root domain_users 512 Mar 8 03:11 .
drwxr-xr-x 4 root wheel 512 Mar 8 03:10 ..
-rw-r--r-- 1 www1 domain_users 0 Mar 8 03:11 file1
other users can't edit it.
Solution 1
----------
Change everyone's umask to 002. Unfortunately, these users are defined in Active Directory and they're all in the same primary group - 002 is not secure in this scenario.
Solution 2
----------
Set a default ACL on the parent directory,
www1$ getfacl -d .
# file: .
# owner: root
# group: domain_users
user::rwx
group::rwx
mask::rwx
other::r-x
but it doesn't have the desired effect,
www1$ touch file1
www1$ getfacl file1
# file: file1
# owner: www1
# group: domain_users
user::rw-
group::rwx # effective: r--
mask::r--
other::r--
as the umask seems to override it - this was confirmed by Robert Watson[1] in 2005.
So does anyone have a better idea?
Thanks
Rob.
[1] http://lists.freebsd.org/pipermail/freebsd-fs/2005-October/001382.html
More information about the freebsd-questions
mailing list