How do I set different default permissions for files vs folders using setfacl?

Question

I have a folder /stuff that is owned by root:stuff with setgid set so all new folders' have group set to stuff.

I want it so:

• New files have rw-rw----:
  • User: read and write
  • Group: read and write
  • Other: none
• New folders have rwxrwx---:
  • User: read, write, and execute
  • Group: read, write, and execute
  • Other: none

If I set default ACLs with setfacl then it seems to apply to both files and folders. For me, this is fine for Other since both files and folders get no permissions:

setfacl -d -m o::---- /stuff

But what do I do for User and Group? If I do something like above then it will be set on all files and folders.

And I can't use umask.

I have a shared drive. I am trying to make it so folks in stuff can read/write/execute but nobody else (Other) can. And I wan to make sure that by default files do not get the execute bit set, regardless of what the account's umask is.

Answer 1

There is no way to differentiate between files and directories using setfacl only. Instead you can workaround the issue with using inotify-tools to detect new created files/dirs, then apply the correct ACLs for each one recursively:

1- You have to install inotify-tools package first.

2- Recover the default /stuff directory acls

sudo setfacl -bn /stuff

3- SetGID

sudo chmod g+s /stuff

4- Execute the following script in the background for testing purpose, for a permanent solution wrap it within a service.

#!/bin/bash
sudo inotifywait -m -r -e create --format '%w%f' /stuff | while read NEW
do
    # when a new dir created
    if [ -d "$NEW" ]; then
        sudo setfacl -m u::rwx "$NEW"
        sudo setfacl -m g::rwx "$NEW"
   # when a new file created
    elif [ -f "$NEW" ]; then
        sudo setfacl -m u::rw "$NEW"
        sudo setfacl -m g::rw "$NEW"
fi
    # setting no permissions for others
    sudo setfacl -m o:--- "$NEW"
done