Using an Access Control List to set default permission for new files in a directory on Linux

Today’s “I’ve finally figured out how to do this” instalment is all about Linux file permissions.
In this case, it’s how to ensure that files in a given directory are created with a default group and set of permissions.
The idea is that any files created in a given directory are readable by members of a specific group.

Teddy will be joining me for this Linux adventure. Lately he’s started to wonder if there’s much future in the Boris-Johnson-Lookalike business and so he’s looking to diversify…

“Any chance I can ambush that cake ?”

Users and Groups

Let’s start by giving teddy an account…

…and then creating a group…

…to which both teddy and mike are added…

We can confirm that both users now belong to the group :

getent group pack
pack:x:1007:mike,teddy

The Directory

When I create a directory as mike, I can see that it inherits that user’s primary group :

mkdir treats
ls -ld treats
drwxrwxr-x 2 mike mike 4096 Jul  2 10:40 treats

We want to change this so that it uses the group we’ve just created :

chgrp pack treats
ls -ld treats
drwxrwxr-x 2 mike pack 4096 Jul  2 10:40 treats

This does not affect any new files created in the directory, which are still assigned their owners’ primary group by default :

mike$ touch treats/biscuit.txt
mike$ ls -l treats/biscuit.txt 
-rw-rw-r-- 1 mike mike 0 Jul  2 10:44 treats/biscuit.txt

teddy$ touch treats/woof.txt
teddy$ ls -l treats/woof.txt
-rw-rw-r-- 1 teddy teddy 0 Jul  2 10:46 treats/woof.txt

To ensure that any new files created in the directory inherit the the directory’s group, we need to set the setgid bit. Don’t worry, that’s not as complicated as it sounds. In fact, we simply need to run :

We can see the effect this has on the directory permissions :

ls -ld treats
drwxrwsr-x 2 mike pack 4096 Jul  2 10:46 treats

When teddy creates his next file, the directory’s group is used :

teddy $ touch treats/growl.txt
teddy $ ls -l treats/growl.txt

-rw-rw-r-- 1 teddy pack 0 Jul  2 10:54 treats/growl.txt

We still have a bit of work to do. Remember, that we want any new files to be read-write for the owner, read-only for group members and not accessible for anyone else.

Access Control Lists

In Linux each file has a File Access Control List (ACL). Being just a type of file, directories are no different. For treats, the current ACL looks like this :

getfacl treats
# file: treats
# owner: mike
# group: pack
# flags: -s-
user::rwx
group::rwx
other::r-x

Incidentally, we can see the setgid bit in the flags line.

Side Note – Execute Permissions

You may have noticed that the execute permission is set for everyone. However, none of our files have been created with execute enabled.
As explained in this stack overflow answer, it doesn’t really make sense to grant execute permissions on a file unless it’s known to be executable, therefore, linux does not do this automatically.

Directories however, are subtly different. The execute permission is required to enter a directory.

To demonstrate, we can create a directory from which the others execute permission is then revoked …

mike$ mkdir walkies
chmod o-x walkies
ls -ld walkies
drwxrwxr-- 2 mike mike 4096 Jul  2 11:30 walkies

As teddy is not the file owner or a group member of mike, he has other permissions on the directory.

Whilst he can list the contents of the directory, he cannot navigate to it :

teddy$ ls -l walkies
total 0

teddy$ cd walkies
sh: 3: cd: can't cd to walkies

Defaulting the ACL settings

Remember, we want any new files we create to be read-only for members of the pack group and to have no permissions for other users.
We can do this by setting the default ACL permissions.

To remove write permissions from group, we add a default setting to the directory’s ACL :

The ACL now looks like this :

getfacl treats
# file: treats
# owner: mike
# group: pack
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::r--
default:other::r-x

The directory listing has also changed :

ls -ld treats
drwxrwsr-x+ 2 mike family 4096 Jul  1 12:43 treats

The “+” at the end of the permissions indicates that this directory now has defaults set in it’s ACL.

Next, we want to revoke privileges from other :

mike $ getfacl treats
# file: treats
# owner: mike
# group: pack
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::r--
default:other::---

These permissions are now applied to any new files created in the directory :

mike $ echo 'Biscuit'>treats/goodboy.log
mike $ ls -l treats/goodboy.log
-rw-r----- 1 mike pack 8 Jul  2 13:27 treats/goodboy.log

Teddy can read the new file (although he refuses to use cat for some reason) :

teddy $ more treats/goodboy.log
Biscuit

However, he cannot write to the file :

teddy $ echo 'More biscuits' >>treats/goodboy.log
sh: 3: cannot create treats/goodboy.log: Permission denied

On the other hand, he can create a new file which mike can see, but no write to (much to teddy’s relief) …

teddy$ echo 'Munch! Wag! Woof!' >treats/happydog.log
teddy$ ls -l treats/happydog.log
-rw-r----- 1 teddy pack 18 Jul  2 13:30 treats/happydog.log

mike$ cat treats/happydog.log
Munch! Wag! Woof!
mike$ echo 'Bath Time !' >>treats/happydog.log
bash: treats/happydog.log: Permission denied

Remember, the ACL changes we’ve made to file permissions in the directory do not apply retrospectively :

ls -lrt treats
total 8
-rw-rw-r-- 1 mike  mike   0 Jul  2 10:44 biscuit.txt
-rw-rw-r-- 1 teddy teddy  0 Jul  2 10:46 woof.txt
-rw-rw-r-- 1 teddy pack   0 Jul  2 10:54 growl.txt <- after the setgid
-rw-r----- 1 mike  pack   8 Jul  2 13:27 goodboy.log <- after ACL changes
-rw-r----- 1 teddy pack  18 Jul  2 13:30 happydog.log 

Further Reading

There’s a useful guide to linux file permissions here.
This article provides further information on configuring Linux ACLs.
We’ve managed to get through all of this file permission malarkey without mentioning sticky bits. If you’re still curious you can check out this article.