A bit of a minor off-topic issue, but on the off-chance that someone understands how ACLs work ...
I've been trying to see if using default ACLs would help with the following issue:
I have a third party application that is running as a non-root user ('user-a') and creating log files with mode 0600 (read/write only to the owner) in a log directory
I have another application that runs as another non-root user ('user-b') that needs to read the log files created by 'user-a'
I can't change the mode of the log files generated by 'user-a', but I thought I could add a default ACL to the log file's parent directory that gave read access to 'user-b' - i.e. something like:
% sudo setfacl -d -m u:user-b:r logdir % getfacl logdir # file: logdir # owner: user-a # group: user-a user::rwx group::r-x other::r-x default:user::rwx default:user:user-b:r-- default:group::rwx default:mask::rwx default:other::r-x
Now when new log files are created in logdir, the default ACL is inherited, but 'user-b' still can't read the files - i.e.
% getfacl logdir/logfile # file: logdir/logfile # owner: user-a # group: user-a user::rw- user:user-b:r-- #effective:--- group::rwx #effective:--- mask::--- other::---
i.e. the effective access for 'user-b' is '---' - which is no access to read for 'user-b'
I'm not sure where 'effective' comes from?
If I now explicitly add a read ACL for user-b to logdir/logfile:
% sudo setfacl -m u:user-b:r logdir/logfile % getfacl logdir/logfile # file: logdir/logfile # owner: user-a # group: user-a user::rw- user:user-b:r-- group::rwx mask::rwx other::---
and 'user-b' can read logdir/logfile
I guess I'm missing something on how default ACLs are meant to work - can anyone explain what is happening here or point me in the right direction ?
I've actually 'solved' the issue with a suitable sudoers rule that allows 'user-b' to run the required command as 'user-a', but I would like to find out why this default ACL method doesn't work
Thanks
James Pearson