More on Sticky bits and ACLs

I'm going through the tedious task of hardening our Linux servers for an upcoming FSO visit as well as tweaking our existing kickstart for future builds.  A LOT of documentation goes into our kickstarts so we can pick things out and know what has been set and in response to which IAVA requirement.  I wanted a really clear example on how to properly use sticky bits and setfacl so to apply appropriate permissions when new files are created within a directory.  No point in setting the permissions on the current files if new ones can be created and bust the stig right?

The group ownership can be inherited by new files and folders created in your folder /path/to/parent by setting the setgid bit using chmod g+s like this:

chmod g+s /path/to/parent

Now, all new files and folder created under /path/to/parent will have the same group assigned as is set on /path/to/parent.

POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask value.
However, you can use POSIX ACLs to achieve this. Set the default ACL on a directory:

setfacl -d -m u::rwX,g::rwX,o::- /path/to/parent

This will apply setfacl to the /path/to/parent directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x bit.)

(If needed, you can add a u:someuser:rwX or g:someuser:rwX – preferably a group – to the ACLs.)

---

Note that, at least with ext3/ext4, you must mount the filesystem with the acl option, otherwise new ACLs cannot be set and existing ones will be ignored.

mount -o remount,acl /

Edit /etc/fstab to set this permanently.