So, when you create a new user with name "username", /home/username is created. I've created 6 users so far and the ACLs for their /home/username directories haven't all been created equal. That is to say, some users' directories are accessible by other users. Some are not.

I'm assuming this is an ACL thing because when I getfacl, this is what I see (I'm logged in as user marmalademan):

-bash-3.00$ getfacl /home/talon
getfacl: Removing leading '/' from absolute path names
# file: home/talon
# owner: talon
# group: marmalademan
user::rwx
user:marmalademan:rwx #effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:marmalademan:rwx
default:group::r-x
default:mask::rwx
default:other::--x


-bash-3.00$ getfacl /home/negley
getfacl: Removing leading '/' from absolute path names
# file: home/negley
# owner: negley
# group: marmalademan
user::rwx
user:marmalademan:rwx #effective:---
group::r-x #effective:---
mask::---
other::--x
default:user::rwx
default:user:marmalademan:rwx
default:group::r-x
default:mask::rwx
default:other::--x

I've emboldened the lines that show the differences. These appear to be the two types of ACLs that my users end up getting. I haven't changed them from default settings, as far as I can recall (there aren't even any files in these users' directories, other than their SSH keys).

When I FTP into my account as user marmalademan, I can access /home/talon, but not /home/negley. For the rest of the user directories, some I can access, some I cannot. If I FTP in as user harry (the most recently created user), I am also able to access those directories, while being denied to the others.

I'm still pretty new to these permission settings, but tell me if I'm understanding the ACLs correctly: Users that are part of group marmalademan (all of them, so far) are able to access directories where:

group::r-x #effective:r-x

...is set in the ACL. They can read and execute, but not write. If it's #effective:---, they can't do anything.

But then why are the ACLs being created differently? The only directory I've changed the ACL for has been /home/marmalademan (and various subdirectories), as far as I can remember. Any insight here would be helpful, thanks.

Effective permissions are what matter in determining access rights to files and directories. The reason that the effective permission on the directory is 0 comes from the fact that the group permission bit is 0. Change the directory to 751 or such and you should be fine (711 *might* work).

Ah okay. I guess I didn't understand the relationship between the permissions I set through setfacl and chmod. That clears things up a bit, thanks Matt. :)

How would I set up permissions to allow a user access to a specific subdirectory of my main web folder, but without allowing them access to the main web folder itself?

i.e.:

not allowed to access:
/var/www/html/

allowed to access:
/var/www/html/dev/filemanager/devftp/

Right now the ACL on /var/www/html does not allow group access, period. On the latter folder I've added user harry with rwx access. But user harry can't access /var/www/html/dev/filemanager/devftp/ (via FTP). Is the first ACL overriding the other, or is there a better way to accomplish this?

Execute bit is your pal. You need just x set to descend a directory, but read (r) set to list contents. setfacl -m user:<some user>:1 html/ would work.

Thanks a ton Matt, you're the best.