[CentOS] Default ACL inheritance question

Thu May 14 13:26:52 UTC 2020
James Pearson <james-p at moving-picture.com>

A bit of a minor off-topic issue, but on the off-chance that someone 
understands how ACLs work ...

I've been trying to see if using default ACLs would help with the 
following issue:

I have a third party application that is running as a non-root user 
('user-a') and creating log files with mode 0600 (read/write only to the 
owner) in a log directory

I have another application that runs as another non-root user ('user-b') 
that needs to read the log files created by 'user-a'

I can't change the mode of the log files generated by 'user-a', but I 
thought I could add a default ACL to the log file's parent directory 
that gave read access to 'user-b' - i.e. something like:

% sudo setfacl -d -m u:user-b:r logdir
% getfacl logdir
# file: logdir
# owner: user-a
# group: user-a
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user-b:r--
default:group::rwx
default:mask::rwx
default:other::r-x

Now when new log files are created in logdir, the default ACL is 
inherited, but 'user-b' still can't read the files - i.e.

% getfacl logdir/logfile
# file: logdir/logfile
# owner: user-a
# group: user-a
user::rw-
user:user-b:r--                 #effective:---
group::rwx                      #effective:---
mask::---
other::---

i.e. the effective access for 'user-b' is '---' - which is no access to 
read for 'user-b'

I'm not sure where 'effective' comes from?

If I now explicitly add a read ACL for user-b to logdir/logfile:

% sudo setfacl -m u:user-b:r logdir/logfile
% getfacl logdir/logfile
# file: logdir/logfile
# owner: user-a
# group: user-a
user::rw-
user:user-b:r--
group::rwx
mask::rwx
other::---

and 'user-b' can read logdir/logfile

I guess I'm missing something on how default ACLs are meant to work - 
can anyone explain what is happening here or point me in the right 
direction ?

I've actually 'solved' the issue with a suitable sudoers rule that 
allows 'user-b' to run the required command as 'user-a', but I would 
like to find out why this default ACL method doesn't work

Thanks

James Pearson