How to set Linux Default ACLs differently for directories and files

Solution 1:

Well, but your example does exactly what you want ;)

Look at the second one:

overt htdocs # setfacl -dm u:apache:rx .
overt htdocs # touch blah.txt
overt htdocs # getfacl blah.txt
# file: blah.txt
# owner: root
# group: root
user::r--
user:apache:r-x                 #effective:r--
group::r--
mask::r--
other::r--

The important line is:

user:apache:r-x #effective:r--

Even though acl is set to r-x it is effectively r-- for files. It is because of the mask.

And the mask will be always only rw- for files if the user created it with the rw- permissions for user. (I'm not 100% sure but mask cannot be less restrictive then the basic permissions).

So effectively you get r-- for files and r-x for directories.
Because created directories will have user:r-x -> mask will be r-x -> effective permission will be r-x.
For files: they will have r-- so mask will be r-- and effective permissions for ACLs will be r--, too. (If you create a file and give it a user::r-x permissions, then mask will be modified and users form acl's will get the x, too)

Solution 2:

Unfortunately, there is just no way to do this with Linux ACL's. It's true that the mask will appear to do exactly what you want, as far as effective permissions. But next time you do an operation that recalculates the rights mask, bam, all your files will be made executable.

You might as well just resign yourself to expect all files in an ACL to be executable. That's really just a convenience rather than a security feature, and as long as you don't put those folders in your $PATH, should not be an issue. If it still bothers you, the only choice is to put your ACL controlled folders on a file system mounted with no execute option.