What is meant by mask and effective in the output from getfacl?
getfacl /var/www:
getfacl: Removing leading '/' from absolute path names
file: var/www
owner: Name
group: Name
user::-wx
user:Test:rwx
effective:r--
group::rw-
effective:r--
mask::r--
other::rwx
ACL are an extended set of permissions.
The POSIX permissions are that each file or directory has an owner, group, and other with read, write, and executable bits.
ACL add additional access, or "mask" and can be used to define additional groups/users and extended permissions.
So what you are seeing is the POSIX permissions + the ACL "mask" and when you put them together you get the effective access.
For example, if you have rwx POSIX permissions and ACL gives you r-- , your effective permissions are read only.
If posix gives you r-- and ACL gives you rwx , your effective permissions are STILL RO.
So you are seeing the POSIX permissions, the ACL mask, and the result or effective permissions. You can then modify either the POSIX or ACL access as needed to give you the effective acces you desire ;)
Table: Masking of Permissions
Entry type Text form Permissions
Named user user:joe:r-x r-x
Mask mask::rw- rw-
Effective permissions r-
See
http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html
Especially the "Table: Masking of Permissions", which I tried to quote above, and the first section "How ACLs Work"
It took me a little while to figure this out, so maybe this will be helpful.
Consider the output from ls -l. If you're familiar enough with POSIX, you'll be used to interpreting something like this:
drwxr-x--x 2 root plebs ...
d means it's a directory.rwx means the owner can read, write and execute (search).r-x means the group can read and execute (search) only.--x means others can only execute (search).root) is named.plebs) is named.When there's an ACL in effect, the "middle three" change: instead of being the owning group's permissions, they are the maximum permission that will be granted to a non-owner mentioned in the ACL.
For example, say I do this to the directory above:
setfacl --modify user:hero:7 thedir
That grants access rwx to hero, and now the ls -l output will look like:
drwxrwx--x+ 2 root plebs ...
The + indicates there's an ACL now.
I didn't change the permissions for the plebs group, and getfacl thedir will confirm it, showing something like this:
user::rwx
user:hero:rwx
group::r-x
mask::rwx
other::--x
The owning group still only has r-x permissions, but the thing showing in the "middle three" is actually the mask.
I can use ordinary chmod to change it.
chmod 651 thedir
And it looks like it worked in ls -l:
drwxr-x--x+ 2 root plebs ...
And getfacl thedir:
user::rwx
user:hero:rwx #effective:r-x
group::r-x
mask::r-x
other::--x
Ah, look, because I changed the mask, which is the maximum permission that will be granted to a non-owner mentioned in the ACL, hero can't be given rwx permissions any more. Even though they have an rwx entry in the ACL, because the mask has been restricted, they can only get r-x (only r-x is effective).
The mask will only ever restrict permissions, it won't add them. Even when the mask was rwx before, the owning group still only got r-x permissions, in accordance with the ACL entry.
This behaviour is handy because the "middle three" give you an upper bound on the permissions granted in an ACL, and since ACLs are often used as ad-hoc groups, when they are in effect, they're often of more interest than the owning group.
