What is the exact purpose of `mask` in file system ACL?

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

When I apply default ACL in a directory I see default:mask or just mask in the following two scenario.

Scenario 1

-bash-4.2$ ls -ld test/
 drwxr-x---. 2 test test 4096 Oct 15 19:12 test/

-bash-4.2$ setfacl -d -m u:arif:rwx test/

-bash-4.2$ getfacl --omit-header test
 user::rwx
 group::r-x
 other::---
 default:user::rwx
 default:user:arif:rwx
 default:group::r-x
 default:mask::rwx
 default:other::---

Scenario 2

-bash-4.2$ ls -dl dir/
 drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/

-bash-4.2$ getfacl dir
 # file: dir
 # owner: test
 # group: test
 user::rwx
 group::r-x
 other::---

-bash-4.2$ setfacl -m user:arif:rwx dir

-bash-4.2$ getfacl --omit-header dir
 user::rwx
 user:arif:rwx
 group::r-x
 mask::rwx
 other::---

So what is the purpose of mask here?

linux permissions acl umask

share|improve this question

asked 3 hours ago

muhammad

514514

add a comment | 

up vote
1
down vote

favorite

When I apply default ACL in a directory I see default:mask or just mask in the following two scenario.

Scenario 1

-bash-4.2$ ls -ld test/
 drwxr-x---. 2 test test 4096 Oct 15 19:12 test/

-bash-4.2$ setfacl -d -m u:arif:rwx test/

-bash-4.2$ getfacl --omit-header test
 user::rwx
 group::r-x
 other::---
 default:user::rwx
 default:user:arif:rwx
 default:group::r-x
 default:mask::rwx
 default:other::---

Scenario 2

-bash-4.2$ ls -dl dir/
 drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/

-bash-4.2$ getfacl dir
 # file: dir
 # owner: test
 # group: test
 user::rwx
 group::r-x
 other::---

-bash-4.2$ setfacl -m user:arif:rwx dir

-bash-4.2$ getfacl --omit-header dir
 user::rwx
 user:arif:rwx
 group::r-x
 mask::rwx
 other::---

So what is the purpose of mask here?

linux permissions acl umask

share|improve this question

asked 3 hours ago

muhammad

514514

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

When I apply default ACL in a directory I see default:mask or just mask in the following two scenario.

Scenario 1

-bash-4.2$ ls -ld test/
 drwxr-x---. 2 test test 4096 Oct 15 19:12 test/

-bash-4.2$ setfacl -d -m u:arif:rwx test/

-bash-4.2$ getfacl --omit-header test
 user::rwx
 group::r-x
 other::---
 default:user::rwx
 default:user:arif:rwx
 default:group::r-x
 default:mask::rwx
 default:other::---

Scenario 2

-bash-4.2$ ls -dl dir/
 drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/

-bash-4.2$ getfacl dir
 # file: dir
 # owner: test
 # group: test
 user::rwx
 group::r-x
 other::---

-bash-4.2$ setfacl -m user:arif:rwx dir

-bash-4.2$ getfacl --omit-header dir
 user::rwx
 user:arif:rwx
 group::r-x
 mask::rwx
 other::---

So what is the purpose of mask here?

linux permissions acl umask

share|improve this question

asked 3 hours ago

muhammad

514514

When I apply default ACL in a directory I see default:mask or just mask in the following two scenario.

Scenario 1

-bash-4.2$ ls -ld test/
 drwxr-x---. 2 test test 4096 Oct 15 19:12 test/

-bash-4.2$ setfacl -d -m u:arif:rwx test/

-bash-4.2$ getfacl --omit-header test
 user::rwx
 group::r-x
 other::---
 default:user::rwx
 default:user:arif:rwx
 default:group::r-x
 default:mask::rwx
 default:other::---

Scenario 2

-bash-4.2$ ls -dl dir/
 drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/

-bash-4.2$ getfacl dir
 # file: dir
 # owner: test
 # group: test
 user::rwx
 group::r-x
 other::---

-bash-4.2$ setfacl -m user:arif:rwx dir

-bash-4.2$ getfacl --omit-header dir
 user::rwx
 user:arif:rwx
 group::r-x
 mask::rwx
 other::---

So what is the purpose of mask here?

linux permissions acl umask

linux permissions acl umask

share|improve this question

asked 3 hours ago

muhammad

514514

share|improve this question

asked 3 hours ago

muhammad

514514

share|improve this question

share|improve this question

asked 3 hours ago

muhammad

514514

asked 3 hours ago

muhammad

514514

asked 3 hours ago

muhammad

514514

514514

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
4
down vote

According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.

For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.

So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.

Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch system call, and it passes code 0777 to mkdir system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.

More 1 2

share|improve this answer

edited 2 hours ago

answered 3 hours ago

Goro

9,54164689

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f475698%2fwhat-is-the-exact-purpose-of-mask-in-file-system-acl%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
4
down vote

According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.

For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.

So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.

Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch system call, and it passes code 0777 to mkdir system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.

More 1 2

share|improve this answer

edited 2 hours ago

answered 3 hours ago

Goro

9,54164689

add a comment | 

up vote
4
down vote

According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.

For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.

So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.

Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch system call, and it passes code 0777 to mkdir system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.

More 1 2

share|improve this answer

edited 2 hours ago

answered 3 hours ago

Goro

9,54164689

add a comment | 

up vote
4
down vote

up vote
4
down vote

According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.

For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.

So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.

Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch system call, and it passes code 0777 to mkdir system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.

More 1 2

share|improve this answer

edited 2 hours ago

answered 3 hours ago

Goro

9,54164689

According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.

For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.

So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.

Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch system call, and it passes code 0777 to mkdir system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.

More 1 2

share|improve this answer

edited 2 hours ago

answered 3 hours ago

Goro

9,54164689

share|improve this answer

share|improve this answer

edited 2 hours ago

edited 2 hours ago

edited 2 hours ago

answered 3 hours ago

Goro

9,54164689

answered 3 hours ago

Goro

9,54164689

answered 3 hours ago

Goro

9,54164689

9,54164689

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f475698%2fwhat-is-the-exact-purpose-of-mask-in-file-system-acl%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email