From owner-freebsd-questions@FreeBSD.ORG  Mon Mar  8 13:02:53 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 16D62106566C
	for <freebsd-questions@freebsd.org>;
	Mon,  8 Mar 2010 13:02:53 +0000 (UTC)
	(envelope-from listone@deathbeforedecaf.net)
Received: from mail-pz0-f196.google.com (mail-pz0-f196.google.com
	[209.85.222.196])
	by mx1.freebsd.org (Postfix) with ESMTP id EC71E8FC1B
	for <freebsd-questions@freebsd.org>;
	Mon,  8 Mar 2010 13:02:52 +0000 (UTC)
Received: by pzk34 with SMTP id 34so1125649pzk.3
	for <freebsd-questions@freebsd.org>;
	Mon, 08 Mar 2010 05:02:52 -0800 (PST)
Received: by 10.143.153.28 with SMTP id f28mr3209646wfo.129.1268052070099;
	Mon, 08 Mar 2010 04:41:10 -0800 (PST)
Received: from [10.10.10.10] (0x7e.net [203.122.226.101])
	by mx.google.com with ESMTPS id 21sm4676789pzk.8.2010.03.08.04.41.07
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Mon, 08 Mar 2010 04:41:09 -0800 (PST)
From: Rob <listone@deathbeforedecaf.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Mon, 8 Mar 2010 23:11:03 +1030
Message-Id: <4A9C0B24-04BA-418D-81B6-99897FCC9E16@deathbeforedecaf.net>
To: freebsd-questions@freebsd.org
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
Subject: ACLs, umask and shared directories
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 13:02:53 -0000

Hi Folks,

I need to give a group of users write access to a shared directory. The =
problem is, when one user creates a file,

  www1$ touch file1
  www1$ ll
  total 8
  drwxrwxr-x  2 root  domain_users  512 Mar  8 03:11 .
  drwxr-xr-x  4 root  wheel         512 Mar  8 03:10 ..
  -rw-r--r--  1 www1  domain_users    0 Mar  8 03:11 file1

other users can't edit it.

Solution 1
----------

Change everyone's umask to 002. Unfortunately, these users are defined =
in Active Directory and they're all in the same primary group - 002 is =
not secure in this scenario.

Solution 2
----------

Set a default ACL on the parent directory,=20

  www1$ getfacl -d .
  # file: .
  # owner: root
  # group: domain_users
  user::rwx
  group::rwx
  mask::rwx
  other::r-x

but it doesn't have the desired effect,

  www1$ touch file1
  www1$ getfacl file1
  # file: file1
  # owner: www1
  # group: domain_users
  user::rw-
  group::rwx		# effective: r--
  mask::r--
  other::r--

as the umask seems to override it - this was confirmed by Robert =
Watson[1] in 2005.

So does anyone have a better idea?

Thanks
Rob.

[1] =
http://lists.freebsd.org/pipermail/freebsd-fs/2005-October/001382.html