Discrepancy with the output of `ls -al` and `getfacl`

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
2
down vote

favorite












I have run the following script to set permissions into /etc/nginx



#!/usr/bin/env bash

sudo chown -R root:root /etc/nginx
sudo chmod -R 0750 /etc/nginx
sudo setfacl -Rbk -m g:hugo:rwx /etc/nginx
sudo setfacl -R --mask -m g:www-data:rx /etc/nginx


However, when I check the permissions afterwards there is a discrepancy in the results for the 'group' of ls -al and getfacl



$ ls -al /etc/nginx
total 24
drwxrwx---+ 5 root root 4096 Mar 18 17:07 .


$ getfacl /etc/nginx
getfacl: Removing leading '/' from absolute path names
# file: etc/nginx
# owner: root
# group: root
user::rwx
group::r-x
group:www-data:r-x
group:hugo:rwx
mask::rwx
other::---


Why?






chmod acl 18.04







share|improve this question





















  • Because ls -l doesn't show access control list attributes. It merely shows their pure existance by means of the + sign. That is: whenever you see a + in the permissions, issue getfacl afterwards.
    – PerlDuck
    Mar 18 at 17:26







  • 1




    Doesn't getfacl list the POSIX permissions too though? Isn't that what group::r-x is in the output?
    – Hugo
    Mar 18 at 17:33














up vote
2
down vote

favorite












I have run the following script to set permissions into /etc/nginx



#!/usr/bin/env bash

sudo chown -R root:root /etc/nginx
sudo chmod -R 0750 /etc/nginx
sudo setfacl -Rbk -m g:hugo:rwx /etc/nginx
sudo setfacl -R --mask -m g:www-data:rx /etc/nginx


However, when I check the permissions afterwards there is a discrepancy in the results for the 'group' of ls -al and getfacl



$ ls -al /etc/nginx
total 24
drwxrwx---+ 5 root root 4096 Mar 18 17:07 .


$ getfacl /etc/nginx
getfacl: Removing leading '/' from absolute path names
# file: etc/nginx
# owner: root
# group: root
user::rwx
group::r-x
group:www-data:r-x
group:hugo:rwx
mask::rwx
other::---


Why?






chmod acl 18.04







share|improve this question





















  • Because ls -l doesn't show access control list attributes. It merely shows their pure existance by means of the + sign. That is: whenever you see a + in the permissions, issue getfacl afterwards.
    – PerlDuck
    Mar 18 at 17:26







  • 1




    Doesn't getfacl list the POSIX permissions too though? Isn't that what group::r-x is in the output?
    – Hugo
    Mar 18 at 17:33












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I have run the following script to set permissions into /etc/nginx



#!/usr/bin/env bash

sudo chown -R root:root /etc/nginx
sudo chmod -R 0750 /etc/nginx
sudo setfacl -Rbk -m g:hugo:rwx /etc/nginx
sudo setfacl -R --mask -m g:www-data:rx /etc/nginx


However, when I check the permissions afterwards there is a discrepancy in the results for the 'group' of ls -al and getfacl



$ ls -al /etc/nginx
total 24
drwxrwx---+ 5 root root 4096 Mar 18 17:07 .


$ getfacl /etc/nginx
getfacl: Removing leading '/' from absolute path names
# file: etc/nginx
# owner: root
# group: root
user::rwx
group::r-x
group:www-data:r-x
group:hugo:rwx
mask::rwx
other::---


Why?






chmod acl 18.04







share|improve this question













I have run the following script to set permissions into /etc/nginx



#!/usr/bin/env bash

sudo chown -R root:root /etc/nginx
sudo chmod -R 0750 /etc/nginx
sudo setfacl -Rbk -m g:hugo:rwx /etc/nginx
sudo setfacl -R --mask -m g:www-data:rx /etc/nginx


However, when I check the permissions afterwards there is a discrepancy in the results for the 'group' of ls -al and getfacl



$ ls -al /etc/nginx
total 24
drwxrwx---+ 5 root root 4096 Mar 18 17:07 .


$ getfacl /etc/nginx
getfacl: Removing leading '/' from absolute path names
# file: etc/nginx
# owner: root
# group: root
user::rwx
group::r-x
group:www-data:r-x
group:hugo:rwx
mask::rwx
other::---


Why?






chmod acl 18.04




chmod acl 18.04






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 18 at 17:17









Hugo

421312




421312











  • Because ls -l doesn't show access control list attributes. It merely shows their pure existance by means of the + sign. That is: whenever you see a + in the permissions, issue getfacl afterwards.
    – PerlDuck
    Mar 18 at 17:26







  • 1




    Doesn't getfacl list the POSIX permissions too though? Isn't that what group::r-x is in the output?
    – Hugo
    Mar 18 at 17:33
















  • Because ls -l doesn't show access control list attributes. It merely shows their pure existance by means of the + sign. That is: whenever you see a + in the permissions, issue getfacl afterwards.
    – PerlDuck
    Mar 18 at 17:26







  • 1




    Doesn't getfacl list the POSIX permissions too though? Isn't that what group::r-x is in the output?
    – Hugo
    Mar 18 at 17:33















Because ls -l doesn't show access control list attributes. It merely shows their pure existance by means of the + sign. That is: whenever you see a + in the permissions, issue getfacl afterwards.
– PerlDuck
Mar 18 at 17:26





Because ls -l doesn't show access control list attributes. It merely shows their pure existance by means of the + sign. That is: whenever you see a + in the permissions, issue getfacl afterwards.
– PerlDuck
Mar 18 at 17:26





1




1




Doesn't getfacl list the POSIX permissions too though? Isn't that what group::r-x is in the output?
– Hugo
Mar 18 at 17:33




Doesn't getfacl list the POSIX permissions too though? Isn't that what group::r-x is in the output?
– Hugo
Mar 18 at 17:33










1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










What you see with ls is the mask entry of the ACL. From man setfacl, the mask entry seems to reflect the maximum possible permissions that can be set on an ACL entry.




the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry




The access rights you see in your example with ls for the default group root:rwx are wrong as the effective rights are now controlled by the ACLs.






share|improve this answer




















  • Crazy stuff, I guess it's meant to do that?
    – Hugo
    Mar 18 at 22:20










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1017052%2fdiscrepancy-with-the-output-of-ls-al-and-getfacl%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










What you see with ls is the mask entry of the ACL. From man setfacl, the mask entry seems to reflect the maximum possible permissions that can be set on an ACL entry.




the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry




The access rights you see in your example with ls for the default group root:rwx are wrong as the effective rights are now controlled by the ACLs.






share|improve this answer




















  • Crazy stuff, I guess it's meant to do that?
    – Hugo
    Mar 18 at 22:20














up vote
1
down vote



accepted










What you see with ls is the mask entry of the ACL. From man setfacl, the mask entry seems to reflect the maximum possible permissions that can be set on an ACL entry.




the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry




The access rights you see in your example with ls for the default group root:rwx are wrong as the effective rights are now controlled by the ACLs.






share|improve this answer




















  • Crazy stuff, I guess it's meant to do that?
    – Hugo
    Mar 18 at 22:20












up vote
1
down vote



accepted







up vote
1
down vote



accepted






What you see with ls is the mask entry of the ACL. From man setfacl, the mask entry seems to reflect the maximum possible permissions that can be set on an ACL entry.




the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry




The access rights you see in your example with ls for the default group root:rwx are wrong as the effective rights are now controlled by the ACLs.






share|improve this answer












What you see with ls is the mask entry of the ACL. From man setfacl, the mask entry seems to reflect the maximum possible permissions that can be set on an ACL entry.




the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry




The access rights you see in your example with ls for the default group root:rwx are wrong as the effective rights are now controlled by the ACLs.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 18 at 18:08









Thomas

3,21481325




3,21481325











  • Crazy stuff, I guess it's meant to do that?
    – Hugo
    Mar 18 at 22:20
















  • Crazy stuff, I guess it's meant to do that?
    – Hugo
    Mar 18 at 22:20















Crazy stuff, I guess it's meant to do that?
– Hugo
Mar 18 at 22:20




Crazy stuff, I guess it's meant to do that?
– Hugo
Mar 18 at 22:20

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1017052%2fdiscrepancy-with-the-output-of-ls-al-and-getfacl%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

GRUB: Fatal! inconsistent data read from (0x84) 0+xxxxxx

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite Can anybody help me with this messages at (before) grub starts booting? . . Fatal! inconsistent data read from (0x84) 0+xxxxxx . Fatal! inconsistent data read from (0x84) n+yyyyyy . (hd0,4) This is running in dual boot with windows 7. Both Windows and Ubuntu are running flawlessly, except for this "errors" list. boot grub2 share | improve this question edited Apr 8 at 12:59 Byte Commander 59.4k 26 159 267 asked Apr 8 at 12:56 Viciente 6 1 add a comment  |  up vote 1 down vote favorite Can anybody help me with this messages at (before) grub starts booting? . . Fatal! inconsistent data read from (0x84) 0+xxxxxx . Fatal! inconsistent data read from (0x84) n+yyyyyy . (hd0,4) This is running in dual boot with windows 7. Both Windows and Ubuntu are running flawlessly, except for this "errors" list. boot grub2 share | improve th...
Read more

`kcmshell` modules relation with `/usr/share/applications`

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite A Little Background I am using Plasma V 5.5.5 , Qt V 5.5.1 , Kernel 4.4.0-116 , in a 64Bits OS with Kubuntu 16.04. I like the Phonon GUI to test Right and Left speakers separately, so I said, let's add it to the Favorites panel in the KDE dash: a simple drag and drop would do it. I did it, obtaining the following as a response when clicking the icon in the Favorites Panel: There had to be a workaround, I decided to go to the plasma-org.kde.plasma.desktop-appletsrc file, located at /home/toquica/.config , where I would look for the favoritesApps line (the one starting with [Containments][131][Applets][149][Configuration][General] because I am using the Application Dashboard option for the dash) and I actually found the entry: kcm_phonon.desktop . A Problem to a Solution I then decided to go to /usr/share/applications and create the file kcm_phonon.desktop with some information like: [Desktop Entry] Versio...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more