Does ACL override Dir permissions

linux access-control-list

Will ACL adds override existing group permissions? We added rx to a directory tree for group myusergroup with the command blow. 

setfacl -Rm "g:myusergroup:rx" /opt/oracle/admin'
setfacl -Rdm "g:myusergroup:rx" /opt/oracle/admin'

But any user in group dba does NOT have write permissions in newly created directories even though directories show 775 permissions, the effective permission for group is not.

What am I missing?

$ ls -ld my_backup

drwxrwxr-x+ 2 oracle dba 4096 Apr 21 08:44 my_backup

$ getfacl my_backup

file: my_backup
owner: oracle
group: dba
user::rwx
group::r-x
group:edmuser:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:myusergroup:r-x
default:mask::r-x
default:other::r-x

$ touch ./my_backup/test.txt
touch: cannot touch `./my_backup/test.txt': Permission denied

$ id
uid=4000(exagrid) gid=40000(dba) groups=40000(dba)

(edit: reformatted)


Introduction

I don't think the question is best framed in terms of "overriding". An understanding of how traditional file permissions (user/group/other classes) and the more granular access permissions provided by ACLs work together is preferable. James already provided a solution. I'm going to expand on why it works.

Understanding ACLs

  1. Firstly, a default ACL applies not to the directory on which it is set, but to files and subdirectories created within it. The latter files and directories inherit default ACL settings as their own access ACL settings. Thus, the default ACL settings listed are irrelevant to this problem and I won't discuss default ACLs in what follows.

  2. In the context of traditional file permission a file has an Owner, a Group, and an Other class – one for each class of user. The permissions set on those classes become the effective permissions of the owning user, owning group, and other user, respectively. If ACLs are supported and used, those class permissions remains the effective permissions of the owing user and other user. By contrast, the Group class permissions now reflect the maximum allowable permissions for any named users or groups (i.e. any users or groups assigned permissions via an ACL entry) (in addition to the owning group). The "Group User" may now be thought of as comprised of the owning group and any users or groups assigned permissions via an ACL entry. This means that applications that do not recognise ACLs can still interact with the file.

  3. The aforementioned "maximum allowable permissions" value is the ACL mask value. When an ACL entry is made, an ACL mask entry is created. The mask entry has a value that is recalculated following any subsequent ACL modification or chmod operation. Recall that the owner group and all ACL named user and group entities together make up the Group now. The mask is a response to the inability to represent these various permissions with a single permission: it represents a maximum, not a permission shared by all components of the group. In this way, a named user can have greater permissions than the owner group has. Each ACL named entity has "masked permissions", meaning that those of their defined permissions that do not conflict with the maximum set by the mask become their effective permissions. If the mask entry value is rwx and a named user's permissions are rw, that user's effective permissions are rw. On the other hand, if the mask entry value is r and a named user's permissions are rwx, that user's effective permissions are r. To understand why this doesn't cause more problems than it is worth, recall that the mask is recalculated followed each modification.

Addressing the Problem; and the Solution

It should now be clear that the permissions found in the long-listing

drwxrwxr-x+ 2 oracle dba 4096 Apr 21 08:44 my_backup

derive from the ALC's mask::rwx setting. The Group permissions value represents the maximum permissions for the owning group (dba), in addition to any ACL named entities. John's problem is that the effective permissions of his dba group are defined as group::r-x. These permissions are not curtailed by the mask since they don't exceed the defined maximum; but neither are they escalated by the mask. As James says, the solution is to edit the ACL group permissions.

References

This answer is from pieced-together personal notes, which don't include citations. Luckily they did include a single link, which following a glance seem to have provided a lot of the content. POSIX Access Control Lists on Linux, Andreas Grünbacher


So even though ls -ld shows group dba should have write permission on dir my_backup

 drwxrwxr-x+ 2 oracle dba 4096 Apr 21 08:44 my_backup

The ACL is overriding this. So if you want to keep write access for dba, you need add that to your ACL group permissions.

Related

How do I restart the Samba service?
Reaching devices on Subnets
Using Samba for AD and file sharing
How to get rid of the language symbol?
Add two new HDD in Raid 1
How can I configure and print with an HP LaserJet 1000?
Function keys are not working on Toshiba Satellite L510 so brightness control is not possible
"Try Ubuntu" from install USB - how to make it not erase files every time?
No sound Civ 5 and wine
Unable install jdk8 in ubuntu 17.10
How do I "log" the M most recent images from a webcam using the command-line?
Ubuntu 18.10 shows black screen with blinking cursor after I rebooted a Thinkpad with hybrid GPUs [duplicate]