On 03/17/2016 06:38 PM, Rich Freeman wrote: > On Thu, Mar 17, 2016 at 4:59 PM, Alan McKinnon <alan.mckin...@gmail.com> > wrote: > > Actually, this is completely viable... > > If users chmod a file then tell them not to. If you must, set up some > cron job to clean up after them. > > But, you can of course do this with ACLs as well. I haven't tried > setting those up personally. >
I missed the beginning of this thread, but I just caught up on the archive. This has long been a pet peeve of mine. I don't think there's a way to make it work *at all* on Linux, which is stupid, since every somebody's-nephew can set it up in five minutes on a Windows server. You can very easily come up with a situation that umasks, group membership, and setgid can't handle. Suppose you want a public website directory to be, * Writable by the client (their developers) * Writable by your web developers * Readable by the Apache user You can't make Apache a member of the group that has write access, so while I haven't been real careful, I don't think you can make that extremely common situation work. Every law office (attorney/paralegal/secretary) and small business needs something similar and it just can't be done. ACLs also won't work, because nobody ever made default ACLs do the right thing. Everything in the "acl" directory should be rwx by the "apache" user below (that's what the setfacl does): $ mkdir acl $ cd acl $ setfacl -d -m user:apache:rwx . But, it's not! Just copy any file in, and see what happens: $ cp /etc/profile ./ $ getfacl profile # file: profile # owner: mjo # group: mjo user::rw- user:apache:rwx # effective:r-- group::r-x # effective:r-- mask::r-- other::r-- The write and execute bits are masked, so your website crashes, because Apache can't write that file (or traverse it, if we did the same experiment with a directory). The problem above is that most common tools will do something braindead in the presence of ACLs, and attempt to preserve the existing group bits. Even though, when there are ACLs around, those group bits don't signify group permissions. To make ACLs do the right thing, you need to run sys-apps/apply-default-acl on every file that the users create, so that the default ACLs get applied by default (craaazzzyyy). You can do that in a cron job like Alan suggested, or I've hacked tar, cp, mkdir, etc. to run it automatically on all of our servers. Why do I need to hack coreutils to share a directory between three people? The ACL/coreutils people don't really see this as a problem. They say, tell your paralegal to RTFM and set the permissions how he wants them. (It will take you about a week to read the man pages for ACLs.)