Setting per-directory umask using ACLs

linux posix permissions access-control-list umask

Solution 1:

This is a typical job for ACLs :-)

Your example

$ mkdir /tmp/foo

Set the permissions for the directory itself

$ setfacl -m g::rwx -m o::rx  /tmp/foo

Set the permissions for the newly created directory and files in that directory.

$ setfacl -m default:g::rwx -m o::rx  /tmp/foo

Test

$ mkdir /tmp/foo/bar
$ touch /tmp/foo/bar/baz.py
$ ls -ld /tmp/foo/bar /tmp/foo/bar/baz.py
drwxrwxr-x+ 2 jdoe jdoe 4096 Mar 10 00:06 /tmp/foo/bar
-rw-rw-r--  1 jdoe jdoe    0 Mar 10 00:06 /tmp/foo/bar/baz.py

Explanations

  • The concept of mask is very different with ACL and Unix permissions mask. the ACL's mask is an attribute of the file... which restrict the maximum permission granted through ACL (mask:r-x + group:foo:rwx => effective permissions = r-x)
  • Warning: modifying the Unix permission of the group, also modifies the ACL's mask (by design!).

Suggestions

  • Use setgid (like chmod 2755), so you control which group can write to the file.
  • and/or explicitly grant permissions to a group setfacl -m group:dev_team:rwx

Related

Turn on Desktop Session Host without domain involvement
repetitive errors on user machines - DC migration from a windows XP based to a windows 7 based network
Windows openvpn client is connected but ip not changing
How can I get "mirrored from" on a GitHub repo?
How does cross domain authentication work in a firewalled environment?
Exchange Connector Won't Send to External Domains
Load balancer explanation
Unattended upgrades doesn't upgrade (or does nothing at all)
Routing setup for OpenVPN server on Amazon EC2
Dual Primary OCFS2 DRBD encountered split-brain. Is recovery always going to be manual in this case?
FreeBSD IP aliases in different subnets and default outgoing IP address
How to detect and prevent postfix from dishing out spam email from compromised mail account