The problem is with the way you have set up the acl, specifically the -d
flag. This will set the default permissions for new files/directories. In your case, you have set them identical to the access permissions, ---rws---
, and when virtualenv
makes subdirectories in website-env, they also have these permissions. Actually, I'm not sure why virtualenv
cannot write to them the same as writing to website-env, but this is the immediate problem.
To resolve the issue:
Remove all acl controls from website-env. Then run setfacl -m "u::---,g::rwx,o::---" website-env
.
$ getfacl website-env
# file: website-env
# owner: root
# group: website-development
flags: -s-
user::---
group::rwx
other::---
virtualenv
will now execute correctly.
Optional:
I found that if you want to set the default permissions for new files/directories, they can be added with a second command setfacl -m "d:u::rwx,d:g::rwx,d:o::---" website-env
.
$ getfacl website-env
...
...
default:user::rwx
default:group::rwx
default:other::---
These appear to be the minimal permissions required for virtualenv to execute. New directories are created with permissions rwxrws---
. You may be able to fine tune this better through the use of the mask setting, but I don't know much about that.
Edit
It definitely appears that setting the user permissions to ---
is overriding the group permissions set to rwx
:
d---rws---+ 2 root group 4.0K May 6 02:09 dir1
d---rws---+ 2 user group 4.0K May 6 02:09 dir2
user:~$ touch dir1/foo && ls dir1
foo
user:~$ touch dir2/foo && ls dir2
touch: cannot touch 'dir2/foo': Permission denied
It's interesting that I can access a directory owned by root
, as long as I'm a member of group
, but I cannot access a directory owned by me, despite being a member of the same group and having group class permissions. Apparently the owners' permissions take precedence, and if they are set to ---
he cannot modify his files, even though others in the group can!
What is happening in your case: website-env
is owned by root. The group website-development
has full access to it. When you run virtualenv
, subdirectories are created inside website-env
with permissions ---rws---
(set by the default setting of acl). However, these subdirectories are NOT owned by root, but by the user who ran virtualenv
. His user class permissions on those subdirectories are ---
, hence virtualenv
cannot modify them.
The solution is to allow owners full access to subdirectories, ie. with default:user:rwx
in the acl. Security is not compromised, since those files/directories will be owned NOT by root, but by the user who makes them, who should probably have access anyway.