Thank you Linda for extensive answer. Just an additional info before I reply your questions: for my own tests I didn't use /tmp as target because the sticky bit could do something special (not sure). Instead I used /srv/test that I chown me:writers , set chmod -R u:rwX,g:srwX then setfacl --set as needed all this as root. The goal being having a group writers rwX, another group readers with rX on the tree and o:---, and ignore source perms if any.
> What file system and core utils are you using? My target file system is ext4 (default mount options include acl and user_xattr , coreutils is 8.21 & kernel is 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 GNU/Linux with embedded acl support out of the box). > Are you using a file system that has alternate user-data forks > or extended attributes that have them included by default? > Or are you using a file system where they were added on as a super-user > control'd option? Have you tried copying them as root? I know this: from local, umask=0002 from ssh, umask=0022 no cp aliases, I just need/use the default, i.e. do-not-preserve-perms All my tests below are run locally. So I wrote a script that echoes each line: sudo ~/acl.sh 0 mkdir -pv /srv/test 0 setfacl -bk /srv/test 0 rm -rf /srv/test/* ownership of /srv/test was kept as me:writers 0 chown -Rv me:writers /srv/test mode of /srv/test/ was changed from 2770 (rwxrws---) to 0000 (---------) 0 (removed all bits) mode of /srv/test/ was changed from 0000 (---------) to 2770 (rwxrws---) 0 chmod -Rv u+rwX,g+srwX /srv/test 0 setfacl -R --set d:u::rwx,d:g::rwx,d:g:writers:rwx,d:u:reader:rx,d:g:reader:rx,d:o::---,d:m::rwx /srv/test getfacl: remove first "/" out of absolute path names # file: srv/test USER me rwx rwx user reader r-x GROUP writers rwx rwx group reader r-x group writers rwx mask rwx other --- --- 0 setfacl -R --set u::rwX,g::rwX,u:reader:rX,g:writers:rwX,g:reader:rx,o::---,m::rwX /srv/test getfacl: remove first "/" out of absolute path names # file: srv/test USER me rwx rwx user reader r-x r-x GROUP writers rwx rwx group reader r-x r-x group writers rwx rwx mask rwx rwx other --- --- ****So at the moment this last command shows all is alright**** **** Now, let's copy **** me@pc:/srv$ cp -r /media/me/USPEED/200402/ /srv/test me@pc:/srv$ getfacl -t /srv/test/200402/ getfacl: remove first "/" out of absolute path names # file: srv/test/200402/ USER me rwx rwx user reader R-X r-x GROUP writers RWX rwx group reader R-X r-x group writers RWX rwx mask --- rwx other --- --- ***problems begin: defaults ACL are kept OK (right perm column, *** ***but Access ACL are lost (capitalized in left column by -t are the denied perms because mask is lost, do not confuse with cap X in chmod)*** ***only file owner can traverse, nobody else can)*** me@pc:/srv$ getfacl -t /srv/test/200402/P2220368.JPG getfacl: remove first "/" out of absolute path names # file: srv/test/200402/P2220368.JPG USER me rw- user reader r-X GROUP writers rWX group reader r-X group writers rWX mask r-- other --- *** Here one see writers lost the write perm, and reader could read if only he could traverse above*** Do the same by creation: me@pc:/srv$ mkdir test/handdir me@pc:/srv$ touch test/handdir/file me@pc:/srv$ getfacl -Rt test/handdir/ # file: test/handdir/ USER me rwx rwx user reader r-x r-x GROUP writers rwx rwx group reader r-x r-x group writers rwx rwx mask rwx rwx other --- --- # file: test/handdir//file USER me rw- user reader r-X GROUP writers rwX group reader r-X group writers rwX mask rw- other --- ***all is OK this way*** > The reason I ask, is that I just tried it and it appears to work: > 1) First the dir: > > cd /tmp > > llg -d /tmp > drwxrwxrwt 25 root root 8192 Oct 7 02:21 /tmp/ > > lsacl /tmp > [u::rwx,g::rwx,o::rwx] /tmp #default ACL from mode bits > > 2) Create file with 'touch' > > touch x # new file > Ishtar:/tmp> llg x > -rw-rw-r-- 1 law lawgroup 0 Oct 7 02:26 x > > lsacl > [u::rw-,g::rw-,o::r--] x #default ACL > ---- > 3) now I'll copy in a *directory* that has both types of ACL's on it, but > not specifying that any permissions be copied: > > > ll -d /Media/Library/_artwork/test #source > drwxrwsr-x+ 2 10 Oct 7 02:33 /Media/Library/_artwork/test/ > Ishtar:/tmp> lsacl /Media/Library/_artwork/test > [u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,m::rwx, > o::r-x/u::rwx,u:Media:rwx, > g::rwx, g:Media:rwx,m::rwx,o::r-x] > /Media/Library/_artwork/test > (note, 2nd acl is default dir (lsacl uses "chacl -l") > Ishtar:/tmp> 'cp' -r /Media/Library/_artwork/test . #recursive to tmp > Ishtar:/tmp> llg -d test > drwxrwxr-x 2 law lawgroup 6 Oct 7 02:34 test/ > Ishtar:/tmp> lsacl test #no attr indicated > [u::rwx,g::rwx,o::r-x] test #default ACL shown > ---- > So far all seems fine. > > 4) Now lets copy the perms too: > Ishtar:/tmp> rd test > Ishtar:/tmp> 'cp' -a /Media/Library/_artwork/test . > Ishtar:/tmp> llg -d test > drwxrwsr-x+ 2 law Media 6 Oct 7 02:33 test/ > Ishtar:/tmp> lsacl test #same ACL as source > [u::rwx,u:Media:rwx,g::rwx,g:Media:rwx, > m::rwx,o::r-x/u::rwx,u:Media:rwx,g::rwx, > g:Media:rwx,m::rwx,o::r-x] > test > 5) create file in that dir: > Ishtar:/tmp> cd test > Ishtar:/tmp/test> touch touched_file > Ishtar:/tmp/test> llg touched_file > -rw-rw-r--+ 1 law Media 0 Oct 7 02:42 touched_file > Ishtar:/tmp/test> lsacl touched_file > [u::rw-,u:Media:rwx,g::rwx,g:Media:rwx,m::rw-,o::r--] touched_file > --- > File has expected inherited ACL. > 6) Now ... lets use cp to copy a file w/o acls in: > (first create normal file under /tmp): > > > echo "perm test">/tmp/perm.txt > Ishtar:/tmp/test> llg /tmp/perm.txt > -rw-rw-r-- 1 law lawgroup 10 Oct 7 02:59 /tmp/perm.txt > Ishtar:/tmp/test> lsacl /tmp/perm.txt > [u::rw-,g::rw-,o::r--] /tmp/perm.txt > > 'cp' /tmp/perm.txt . > Ishtar:/tmp/test> llg perm.txt > -rw-rw-r--+ 1 law Media 10 Oct 7 03:01 perm.txt > Ishtar:/tmp/test> lsacl perm.txt > [u::rw-,u:Media:rwx,g::rwx,g:Media:rwx,m::rw-,o::r--] perm.txt > > ---- > 8) Looks the same to me...However, check this out: > > Ishtar:/tmp/test> rm perm.txt > Ishtar:/tmp/test> cp /tmp/perm.txt . > Ishtar:/tmp/test> llg /tmp/perm.txt > -rw-rw-r-- 1 law lawgroup 10 Oct 7 02:59 /tmp/perm.txt > Ishtar:/tmp/test> lsacl perm.txt > > No acl this time, but same copy...or was it? > > Note I was careful to use 'cp' most of the time when copying except > this last time, cuz: > alias cp > alias cp='cp --preserve=mode,timestamps' > > my normal cp is an alias -- that says to preserve the mode. > It wouldn't be able to do that if it allowed the default ACL > to be set on the file. > -------------- > So, I don't know if this is related to your problem, but > cp appears to be working correctly here > filesystem = xfs (acls are always on as they came with the filesystem). > kernel= > > Linux Ishtar 3.16.2-Isht-Van #1 SMP PREEMPT Tue Sep 9 18:26:43 PDT 2014 > x86_64 x86_64 x86_64 GNU/Linux