2

We have a Linux box running Ubuntu 10.04. It's primary function is a web server and it is configured with (I think) a conventional LAMP stack.

Developers have access to a common directory "dev" which contains a sub directory which serves as the web root. All developers have individual SSH access.

When developers create files in the "dev" directory tree, or pull files into "dev" from a repository we want the file permissions to be rwxrwxr-x. Instead newly created files have permissions of rw-r--r--. By modifying ACLs and setting group and user id on "dev" with sticky bits etc. I have managed to get newly created files with permissions of rw-rw-r--.

I assume the problem is down to the umask configuration which is currently set using the global value of 022 in /etc/profile. I don't want to change the umask globally or for each developer to allow more relaxed default permissions.

I can't see a way of achieving what we want with ACLs and umask unless I am missing something. Surely this is a fairly common requirement for web developers working on shared projects.

Is there a preferred or recommended approach?

Initially I set the gid on "dev" as follows.

chmod g+s dev ls -l drwxrwsr-x 8 755 admin 4096 Jan 19 13:24 dev

The default ACL on "dev" is as follows.

getfacl dev # file: dev # owner: 755 # group: admin # flags: -s- user::rwx group::rwx other::r-x

I applied an ACL for the "admin" group (to which developers belong).

setfacl -Rm d:g:admin:rwX getfacl dev # file: dev # owner: 755 # group: admin # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:group:admin:rwx default:mask::rwx default:other::r-x

I create a file and check file permissions.

touch dev/foo ls -l dev -rw-rw-r--+ 1 duncmc admin 0 Jan 19 16:03 foo

This time I add an ACL for my user "duncmc"

setfacl -Rm u:duncmc:rwX dev getfacl dev # file: dev # owner: 755 # group: admin # flags: -s- user::rwx user:duncmc:rwx group::rwx mask::rwx other::r-x default:user::rwx default:group::rwx default:group:admin:rwx default:mask::rwx default:other::r-x

I create a new file and check permissions.

touch dev/bar ls -l dev -rw-rw-r--+ 1 duncmc admin 0 Jan 19 16:07 bar -rw-rwxr--+ 1 duncmc admin 0 Jan 19 16:03 foo

Adding an ACL for my user appears to have changed the group permission (was rw- now rwx) on the existing file "foo". The newly created file has inherited different permissions. This doesn't make sense to me and suggests there is something fundamental about the way this works that I don't understand.

Improve this question
2
  • Can you give us the specifics on what ACLs you've set up? Commented Jan 19, 2011 at 15:33
  • I have edited my original post to include specific details of ACLs. Commented Jan 19, 2011 at 16:19

1 Answer 1

Reset to default
1

It turns out that file permissions of rw-rw-r-- (or 644) are adequate for our requirements.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.