ACLs, umask and shared directories

Rob listone at
Mon Mar 8 13:02:53 UTC 2010

Hi Folks,

I need to give a group of users write access to a shared directory. The problem is, when one user creates a file,

  www1$ touch file1
  www1$ ll
  total 8
  drwxrwxr-x  2 root  domain_users  512 Mar  8 03:11 .
  drwxr-xr-x  4 root  wheel         512 Mar  8 03:10 ..
  -rw-r--r--  1 www1  domain_users    0 Mar  8 03:11 file1

other users can't edit it.

Solution 1

Change everyone's umask to 002. Unfortunately, these users are defined in Active Directory and they're all in the same primary group - 002 is not secure in this scenario.

Solution 2

Set a default ACL on the parent directory, 

  www1$ getfacl -d .
  # file: .
  # owner: root
  # group: domain_users

but it doesn't have the desired effect,

  www1$ touch file1
  www1$ getfacl file1
  # file: file1
  # owner: www1
  # group: domain_users
  group::rwx		# effective: r--

as the umask seems to override it - this was confirmed by Robert Watson[1] in 2005.

So does anyone have a better idea?



More information about the freebsd-questions mailing list