PDA

View Full Version : ACL question



leaded
9th December 2009, 11:08 PM
Hi there. I'm trying to create a folder for SVN repositories accessible both by apache via http:// and systems users by file:///

Here's what I've done so far...

# mkdir /var/www/svn
# chown apache:apache /var/www/svn
# chmod g+s /var/www/svn # so all child dirs and files are in the apache group
# setfacl -d -m g::rwx /var/www/svn # default ACL creates group::rxw for all children

In theory, this should allow anyone in the apache group to read and write to any file or folder in /var/www/svn because of the ACL, and the setgid bit will ensure the group is set to apache for all files and folders.

But, I'm seeing this strange "#effective" ACL that I'm really having a difficult time tracking down on Google about it. It's overriding my ACL...

Where does this #effective:r-- come from? Why won't it honor the group ACL I manually set as a DEFAULT ACL? Thanks for the help...


$ sudo -u apache svnadmin create /var/www/svn/testrepo
$ svn co file:///var/www/svn/testrepo
$ cd testrepo;touch file1
$ svn add file1;svn commit -m "first file"
Adding file1
Transmitting file data .svn: Commit failed (details follow):
svn: attempt to write a readonly database
$ cd /var/www/svn/testrepo
$ getfacl .
# file: .
# owner: apache
# group: apache
user::rwx
group::rwx
group:svnusers:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:svnusers:rwx
default:mask::rwx
default:other::r-x
$ ls -l
total 48
drwxrwsr-x+ 2 apache apache 4096 Dec 9 13:36 conf
drwxrwsr-x+ 6 apache apache 4096 Dec 9 13:47 db
-r--r--r--+ 1 apache apache 2 Dec 9 13:36 format
drwxrwsr-x+ 2 apache apache 4096 Dec 9 13:36 hooks
drwxrwsr-x+ 2 apache apache 4096 Dec 9 13:36 locks
-rw-rw-r--+ 1 apache apache 229 Dec 9 13:36 README.txt
$ getfacl format
# file: format
# owner: apache
# group: apache
user::r--
group::rwx #effective:r--
mask::r--
other::r--

leaded
11th December 2009, 07:15 PM
Found the answer here: http://www.vanemery.com/Linux/ACL/linux-acl.html

I had to set the mask after running a normal chmod. chmod resets the ACL mask.