From owner-freebsd-questions@FreeBSD.ORG Wed Oct 11 08:18:32 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B30A016A416 for ; Wed, 11 Oct 2006 08:18:32 +0000 (UTC) (envelope-from fbsd@aleborg.se) Received: from mxfep04.bredband.com (mxfep04.bredband.com [195.54.107.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0B0143D68 for ; Wed, 11 Oct 2006 08:18:31 +0000 (GMT) (envelope-from fbsd@aleborg.se) Received: from ironport2.bredband.com ([195.54.107.84] [195.54.107.84]) by mxfep04.bredband.com with ESMTP id <20061011081830.IRJD20348.mxfep04.bredband.com@ironport2.bredband.com> for ; Wed, 11 Oct 2006 10:18:30 +0200 Received: from static-213-115-135-237.sme.bredbandsbolaget.se (HELO [213.115.135.237]) ([213.115.135.237]) by ironport2.bredband.com with ESMTP; 11 Oct 2006 10:18:30 +0200 Message-ID: <452CA8DA.2090403@aleborg.se> Date: Wed, 11 Oct 2006 10:18:34 +0200 From: Patrik Jansson User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Problems with ACLs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Oct 2006 08:18:32 -0000 I'm trying to set default ACLs on a directory to restrict access to a directory and every file/directory created within this directory to two users. I have used this website to get a grip of how it works: http://www.onlamp.com/pub/a/bsd/2003/08/14/freebsd_acls.html Following that example: # setfacl -d -m u::rwx,g::rwx,o::---,u:apache:rwx,u:web26124:rwx test # setfacl -m u::rwx,g::rwx,o::---,u:apache:rwx,u:web26124:rwx test # cd test # touch file.txt # getfacl file.txt #file:file.txt #owner:0 #group:1003 user::rw- user:apache:rwx # effective: r-- user:web26124:rwx # effective: r-- group::rwx # effective: r-- mask::r-- other::--- Looks fine to me. So now I have a PHP script (runs as apache) that creates a directory (inside this directory I have just set default ACLs for) and a file within it: # getfacl dir/file #file:dir/file #owner:1004 #group:1003 user::rw- user:apache:rwx # effective: r-- user:web26124:rwx # effective: r-- group::rwx # effective: r-- mask::r-- other::--- And then I try to remove the file as web26124: $ whoami web26124 $ rm dir/file override rw-r----- apache/apache for dir/file? yes rm: dir/file: Permission denied Files that are created in the directory where I have set default ACLs is removable by web26124 but not files that are created in the subdirectory. # ls -alF total 16 drwxrwx---+ 3 web26124 apache 512 Oct 11 10:14 ./ drwxr-xr-x 4 web26124 apache 512 Oct 11 10:01 ../ -rw-r--r--+ 1 root apache 64 Oct 11 10:14 create.php drwxr-x---+ 2 apache apache 512 Oct 11 10:13 dir/ <- Files inside this directory is NOT removable -rw-r-----+ 1 apache apache 0 Oct 11 10:13 file3 <- Removable What's wrong?