A bit of a minor off-topic issue, but on the off-chance that someone
understands how ACLs work ...
I've been trying to see if using default ACLs would help with the
following issue:
I have a third party application that is running as a non-root user
('user-a') and creating log files with mode 0600 (read/write only to the
owner) in a log directory
I have another application that runs as another non-root user ('user-b')
that needs to read the log files created by 'user-a'
I can't change the mode of the log files generated by 'user-a', but I
thought I could add a default ACL to the log file's parent directory
that gave read access to 'user-b' - i.e. something like:
% sudo setfacl -d -m u:user-b:r logdir
% getfacl logdir
# file: logdir
# owner: user-a
# group: user-a
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user-b:r--
default:group::rwx
default:mask::rwx
default:other::r-x
Now when new log files are created in logdir, the default ACL is
inherited, but 'user-b' still can't read the files - i.e.
% getfacl logdir/logfile
# file: logdir/logfile
# owner: user-a
# group: user-a
user::rw-
user:user-b:r-- #effective:---
group::rwx #effective:---
mask::---
other::---
i.e. the effective access for 'user-b' is '---' - which is no access to
read for 'user-b'
I'm not sure where 'effective' comes from?
If I now explicitly add a read ACL for user-b to logdir/logfile:
% sudo setfacl -m u:user-b:r logdir/logfile
% getfacl logdir/logfile
# file: logdir/logfile
# owner: user-a
# group: user-a
user::rw-
user:user-b:r--
group::rwx
mask::rwx
other::---
and 'user-b' can read logdir/logfile
I guess I'm missing something on how default ACLs are meant to work -
can anyone explain what is happening here or point me in the right
direction ?
I've actually 'solved' the issue with a suitable sudoers rule that
allows 'user-b' to run the required command as 'user-a', but I would
like to find out why this default ACL method doesn't work
Thanks
James Pearson