Checking if acl is enabled on btrfs - and enabling if not

Hello,
I am trying to setup a shared directory, that is a directory where all content is shared among selected local users so that everyone can create, move and delete as needed.

I followed this guide first How to create a Shared Folder between two Local User in Linux? - GeeksforGeeks (there are many identical guides on other websites) but it became immediately clear that any file copied from other directories to the shared directory would keep the original permissions and ownership.

So after reading more on the subject I came to the conclusion that ACL is needed to make sure that all selected users are actually able to operate on files and directories (this may be wrong in itself, comments welcome of course).

After setting up the needed setfacl commands

Riepilogo

sudo setfacl -m g:sharegroup:rwx /home/shared

I am getting the same results as before, so I checked and apparently my BTRFS volume doesn’t have ACL enabled? This is the output from mount:

[steko@localhost]~% mount              
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=1048576,mode=755,inode64)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=1602136k,nr_inodes=819200,mode=755,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
/dev/sda3 on / type btrfs (rw,relatime,seclabel,compress=zstd:1,ssd,space_cache,subvolid=257,subvol=/root)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=35,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=17913)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel,pagesize=2M)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64)
/dev/sda3 on /home type btrfs (rw,relatime,seclabel,compress=zstd:1,ssd,space_cache,subvolid=256,subvol=/home)
/dev/sda2 on /boot type ext4 (rw,relatime,seclabel)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=801064k,nr_inodes=200266,mode=700,uid=1000,gid=1000,inode64)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

Is ACL really disabled? How can I enable it if needed? Thank you

acl is the default for btrfs so acls should be enabled by default and it may not show in mount output.

What does getfacl /home/shared show? Does it show the acl you configured? If so, it should be supported.

Thank you for the clarification about acl being default for btrfs, this is the output from getfacl:

[steko@localhost]~% getfacl /home/shared 
getfacl: Removing leading '/' from absolute path names
# file: home/shared
# owner: root
# group: sharegroup
# flags: ss-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:sharegroup:rwx
default:mask::rwx
default:other::---

Looks fine. What is not working?

An example: “Auto” is a sub-directory that was there before applying any ACL settings:

[elisa@localhost shared]$ getfacl Auto/
# file: Auto/
# owner: steko
# group: steko
# flags: -s-
user::rwx
group::rwx
other::---

With a user other than “steko”, in Nautilus the folder icon is shown both with lock and X icon
188b614813c441baf59b1de60ae9c5ad07c2ca4f.png
and when trying to copy the folder with Nautilus, the user gets an error message “it is impossible to read the folder contents”.

It has been a long time since I needed to acls but I don’t think they work like that.

Setting an acl on /home/shared only impacts that directory. Not all the files/directories that were in it previously. You can use -R to apply the acl to /home/shared and everything inside it.

1 Like

Thank you, this step with -R was not immediately clear from the documentation I found (that is not Fedora specific, by the way).
Do you think this would need to be repeated everytime a new sub-directory is copied in the main /home/shared directory?

Generally copied files get new permissions but it depends how you copy them. You would have to test to see if during a copy operation the acls get inherited by the new files.

Newly copied from user A with Nautilus looks good from user B (who successfully deleted the directory afterwards):

[elisa@localhost shared]$ getfacl new_subfolder/
# file: new_subfolder/
# owner: steko
# group: sharegroup
user::rwx
group::rwx
group:sharegroup:rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:group:sharegroup:rwx
default:mask::rwx
default:other::---
1 Like