Same rights for owner and group owner, but different result
I have the user with the name sftpuser in the group sftpuser. cat /etc/group | grep sftpuser
gives:
sftpuser:x:1001:sftpuser
I have the directory html
, ls -l
on the parent folder gives for the folder html
the following:
drwxrwsr-x+ 2 root sftpuser
Reboot done.
If I connect to the server with FileZilla and the user sftpuser and enter the directory html, I can't create new files. I have the same issue with WinSCP (3 - permission denied). If I declare sftpuser as the owner, it works just fine. FileZilla shows under Owner/Group for the folder html "root 1001".
Just why? And btw. what does the plus at the end of the permission descriptor stand for?
Solution 1:
The +
at the end of the permissions string indicates that the directory has an Access Control List (ACL) applied to it.
It is likely that your ACL is somehow denying the user sftpuser
write access to the directory.
To view the ACL for the html
directory, use the command:
getfacl html
This should output something like the following:
# file: html
# owner: root
# group: sftpuser
# flags: -s-
user::rwx
group::rwx
other::r-x
The lines shown above are the defaults for a directory with the permission string drwxrwsr-x
. Any additional lines are the ACL at work.
For instance, if the getfacl
output was as follows:
# file: html
# owner: root
# group: sftpuser
# flags: -s-
user::rwx
user:sftpuser:r-x
group::rwx
mask::rwx
other::r-x
Then, because of the line user:sftpuser:r-x
, the user sftpuser
would explicitly be denied write access to the directory.
The above may not be your exact case, but perhaps some other ACL entry matches the user sftpuser
and denies write access.
You can remove individual ACL entries by running, for example:
# replace "user:sftpuser" with the entry you want to remove, but omit the permissions part
setfacl -x user:sftpuser html
Or you can remove all entries (except the default ones for the user, group, and others) by running:
setfacl -b html