How to Override umask 0077 with ACLs for World-Readble Files in a Directory


3 views

When your umask is set to 0077 (common for security-conscious users), it means:

  • New files get permissions: 600 (rw-------)
  • New directories get permissions: 700 (rwx------)

This becomes problematic when you need specific directories to have more open permissions by default. The traditional approach would be to manually chmod each new file, which isn't practical.

Linux Access Control Lists (ACLs) provide a powerful way to solve this. We'll use setfacl to create default permissions that override the umask:

# Set default ACLs for the directory
setfacl -d -m u::rwx,g::r-x,o::r-x foo/
setfacl -m u::rwx,g::r-x,o::r-x foo/

Let's break this down:

  • -d: Sets default ACLs (affects new items)
  • -m: Modifies the ACL
  • u::rwx: Owner gets rwx
  • g::r-x: Group gets r-x
  • o::r-x: Others get r-x

After setting the ACLs, create new test items:

cd foo
touch newfile
mkdir newdir
ls -l

You should see:

drwxr-xr-x 2 user group 4096 Jan 1 12:00 newdir
-rw-r--r-- 1 user group    0 Jan 1 12:00 newfile

For more granular control, you can specify different permissions for files and directories:

# Different permissions for files vs directories
setfacl -d -m u::rw-,g::r--,o::r-- foo/
setfacl -d -m d:u::rwx,d:g::r-x,d:o::r-x foo/

The d: prefix specifically targets directories in the default ACL.

To make these changes persistent across reboots, you might want to:

  1. Create a shell script in /etc/profile.d/
  2. Add the commands to your shell's rc file
  3. Use systemd-tmpfiles for system directories

For example, create /etc/profile.d/set_acl_for_foo.sh:

#!/bin/sh
setfacl -d -m u::rwx,g::r-x,o::r-x /path/to/foo

When your umask is set to 0077 (common for security-conscious users), all newly created files default to 0600 (-rw-------) and directories to 0700 (drwx------). This becomes problematic when you need specific directories to have different permission requirements.

Access Control Lists (ACLs) provide granular permission control beyond standard Unix permissions. To make all new files world-readable (0644) and directories world-readable/executable (0755) in directory foo:


# First, set the base ACL permissions
setfacl -d -m u::rwx,g::r-x,o::r-x foo/

# Then set the default mask
setfacl -d -m m::rwx foo/

# Verify the setup
getfacl foo/

The -d flag sets default ACLs that will propagate to new files/directories. The mask (m::rwx) ensures the maximum permissions available won't restrict our desired settings.

Create test files to verify:


cd foo
touch test_file.txt
mkdir test_dir
ls -l

Expected output:


drwxr-xr-x 2 user group 4096 Jul 15 10:00 test_dir
-rw-r--r-- 1 user group    0 Jul 15 10:00 test_file.txt
  • ACLs must be supported by your filesystem (ext3/4, xfs, etc.)
  • Default ACLs don't affect existing files - use chmod for those
  • For systems without ACL support, consider chmod g+s as alternative

To make this persistent across reboots, add the commands to your startup scripts or create a systemd path unit that monitors the directory.