What is meant by mask and effective in the output from getfacl?

What is meant by mask and effective in the output from getfacl?

getfacl /var/www:

getfacl: Removing leading '/' from absolute path names

file: var/www
owner: Name
group: Name
user::-wx

user:Test:rwx           
effective:r--
group::rw-          
effective:r--

mask::r--

other::rwx

Solution 1:

ACL are an extended set of permissions.

The POSIX permissions are that each file or directory has an owner, group, and other with read, write, and executable bits.

ACL add additional access, or "mask" and can be used to define additional groups/users and extended permissions.

So what you are seeing is the POSIX permissions + the ACL "mask" and when you put them together you get the effective access.

For example, if you have rwx POSIX permissions and ACL gives you r-- , your effective permissions are read only.

If posix gives you r-- and ACL gives you rwx , your effective permissions are STILL RO.

So you are seeing the POSIX permissions, the ACL mask, and the result or effective permissions. You can then modify either the POSIX or ACL access as needed to give you the effective acces you desire ;)

Table: Masking of Permissions

Entry type Text form Permissions

Named user user:joe:r-x r-x

Mask mask::rw- rw-

Effective permissions r-

See

http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html

Especially the "Table: Masking of Permissions", which I tried to quote above, and the first section "How ACLs Work"