When working with Linux Access Control Lists (ACLs), many administrators encounter the need to set different default permissions for newly created files versus directories. The standard setfacl tool doesn't explicitly differentiate between file and directory inheritance in its default rules.
From your example, we can see the current behavior:
# owner: root
# group: root
user::rwx
user:apache:r--
group::r--
mask::r-x
other::r--
default:user::r--
default:user:apache:r--
default:group::r--
default:mask::r--
default:other::r--The capital X permission (execute only if directory) works for immediate permission setting but doesn't affect default permissions as you've discovered.
Here's how to achieve the desired behavior:
# First, set base permissions for the directory
setfacl -m u:apache:r-x .
# Then set different default permissions for files vs directories
setfacl -d -m u:apache:r-- .
setfacl -d -m d:u:apache:r-x .The key is using the d: prefix in the second command, which specifically targets directory inheritance.
After applying these settings:
# Create test files
touch testfile
mkdir testdir
# Check resulting permissions
getfacl testfile
getfacl testdirYou should see:
# For files:
user:apache:r--
# For directories:
user:apache:r-xFor more complex scenarios, you can use:
setfacl -m default:file_inherit:u:apache:r-- .
setfacl -m default:dir_inherit:u:apache:r-x .This explicitly separates file and directory inheritance rules.
Remember that:
- Umask settings still affect the final permissions
- The order of setfacl commands matters
- Always verify with getfacl after making changes
For system-wide consistency, consider implementing these settings through your configuration management system or in the directory creation scripts.
When working with Linux ACLs, one common requirement is to set different default permissions for newly created files versus directories. The standard ACL syntax doesn't directly support this differentiation, which leads to the scenario where either:
- Files get execute permissions when they shouldn't
- Directories lack execute permissions when they need them
From your example, we can see that even when using rX (capital X) in default ACLs, it doesn't behave as expected:
setfacl -dm u:apache:rX .
touch testfile
getfacl testfile
# Still shows r-x instead of r-- for files
The capital X permission only works when setting explicit ACLs, not default ACLs. This is because:
- Default ACLs apply at creation time, before the system knows if it's a file or directory
- The X flag's conditional behavior can't be evaluated during default ACL application
Here's how to properly implement this requirement:
# First set default directory permissions
setfacl -dm u:apache:r-x .
# Then set default file permissions (requires additional mask)
setfacl -dm u:apache:r-- .
setfacl -dm m::r-x .
Let's walk through a complete setup:
# Create test directory
mkdir testdir
cd testdir
# Set base permissions
chmod 755 .
chown root:root .
# Set default ACLs - directories will get r-x, files r--
setfacl -dm u:apache:r-x .
setfacl -dm u:apache:r-- .
setfacl -dm m::r-x .
# Verify the setup
getfacl .
# Test with actual files
mkdir subdir
touch testfile
# Check results
getfacl subdir
getfacl testfile
For more complex scenarios, combine ACLs with umask:
# Set restrictive umask for files
umask 027
# Then apply directory-friendly ACLs
setfacl -dm u:apache:r-x .
If permissions aren't applying as expected:
- Check if filesystem supports ACLs (
mount | grep acl) - Verify parent directory permissions
- Check for conflicting umask settings
- Test with different users to rule out session-specific issues