# Directory ACL permission



## marypoppins (Sep 1, 2015)

Dear All,

I'm little confused with the default acl(3) inheritance. As I know until now for directories:
r-reading its contents, x-step into that directory and w to create/remove file in it.
However if I make and extended default ACL for directory "dir" for a user "charles", the inheritance remove the access write permission for the user created directories.
for example: (I write the relevant parts only)


```
root:> mkdir dir
root:> setfacl -m u:charles:rwx,m::rwx dir
root:> setfacl -dm u:charles:rwx,m::rwx dir

getfacl dir:
user:charles:rwx
mask::rwx
```

Then charles creates a new directory in dir named "userdir", and checks its permission:


```
root:> getfacl dir/userdir

user:charles:rwx          # effective: r-x
mask::r-x
```

What I can not understand, why is it removes the write permission from the access mask (however it works great, because charles can create files and directories, and the write permission shows in the inherited directory acl(3) for userdir)

Can anybody help me to clear this?

Thank you very much.


----------



## cpm@ (Sep 1, 2015)

I suggest you read the following article, if you didn't read it yet.


----------



## marypoppins (Sep 1, 2015)

Thank you

I read that, and this too:
http://users.suse.com/~agruen/acl/linux-acls/online/#SECTION00040000000000000000

However in your article the inheritance seems to work, if you read that: (starting line:
"To see the effect of default ACLs on subdirectories issue the following commands:")
the relevant part is the mask which is the same in your post, and which isn't the same in my case.

I forgot to mention that it happened on a NAS4Free which is based on BSD, so I think it should work the same. I will check it tomorrow on a FreeBSD as well.


----------



## cpm@ (Sep 1, 2015)

Please, note this Thread 7290 about NAS4Free questions


----------



## marypoppins (Sep 1, 2015)

Ok, sorry. However I checked it on FreeBSD.

The execute (not the write) permission removed from the effective list for files, however the default ACL includes that. I read more the articles about ACL, but I can not understand it. For example, everything created with root:

`#  umask 007`
`#  mkdir userdir`

```
[CMD=#] ls -l[/CMD]
drwxrwrx--- root wheel userdir
```

`#  setfacl -dm u::rwx,g::rwx,o::-,m::rwx userdir`



```
[CMD=#]getfacl userdir[/CMD]
#file:userdir
#owner:root
#group:wheel
user::rwx
group::rwx
mask::rwx
other::---
```


```
[CMD=#]getfacl -d userdir[/CMD]
#file:userdir
#owner:root
#group:wheel
user::rwx
group::rwx
mask::rwx
other::---
```

But when I create a file in it:
`# cd userdir`
`# touch otherfile`


```
[CMD=#]getfacl otherfile[/CMD]
#file:userfile
#owner:root
#group:wheel
user::rw-
group::rwx
mask::rw-
other::---
```



> When a directory is created inside a directory that has a default ACL, the new directory inherits the parent directory's default ACL both as its access ACL and default ACL. Objects that are not directories inherit the default ACL of the parent directory as their access ACL only.



and



> The umask has no effect if a default ACL exists.



But as you can see the execute permission removed from the mask and from the user. Why?


----------



## trasz@ (Sep 2, 2015)

Write permission from the directory is removed because of umask.  Execute permission from the file is not there, because the touch(1) utility attempts to create file without it; if you run it using truss(1), you'll see this:


```
openat(AT_FDCWD,"b",O_WRONLY|O_CREAT,0666)       = 3 (0x3)
```

See the '0666'?  That's rw-rw-rw-.


----------



## marypoppins (Sep 3, 2015)

Ohh! I see!

Thank you very much for your help.


----------

