Same rights for owner and group owner, but different result

I have the user with the name sftpuser in the group sftpuser. cat /etc/group | grep sftpuser gives:

sftpuser:x:1001:sftpuser

I have the directory html, ls -l on the parent folder gives for the folder html the following:

drwxrwsr-x+ 2 root sftpuser

Reboot done.

If I connect to the server with FileZilla and the user sftpuser and enter the directory html, I can't create new files. I have the same issue with WinSCP (3 - permission denied). If I declare sftpuser as the owner, it works just fine. FileZilla shows under Owner/Group for the folder html "root 1001".

Just why? And btw. what does the plus at the end of the permission descriptor stand for?

Solution 1:

The + at the end of the permissions string indicates that the directory has an Access Control List (ACL) applied to it.

It is likely that your ACL is somehow denying the user sftpuser write access to the directory.

To view the ACL for the html directory, use the command:

getfacl html

This should output something like the following:

# file: html
# owner: root
# group: sftpuser
# flags: -s-
user::rwx
group::rwx
other::r-x

The lines shown above are the defaults for a directory with the permission string drwxrwsr-x. Any additional lines are the ACL at work.

For instance, if the getfacl output was as follows:

# file: html
# owner: root
# group: sftpuser
# flags: -s-
user::rwx
user:sftpuser:r-x
group::rwx
mask::rwx
other::r-x

Then, because of the line user:sftpuser:r-x, the user sftpuser would explicitly be denied write access to the directory.

The above may not be your exact case, but perhaps some other ACL entry matches the user sftpuser and denies write access.

You can remove individual ACL entries by running, for example:

# replace "user:sftpuser" with the entry you want to remove, but omit the permissions part
setfacl -x user:sftpuser html

Or you can remove all entries (except the default ones for the user, group, and others) by running:

setfacl -b html