RE: Question about default ACL

["Juer Lee" <Juer.Lee@xxxxxxxxxx>]

Hi, Tim,

Thank you for your patient explanation. As Alaf suggested, I checked the
samba source code, they had a change in smd/open.c about this ( I guess
), and I used in my samba source code and compiled, it works on that
case ( of course, I have no enough time to test them :)) 
BTW, I noticed the case about Mask ACE too, I think it should work like
that ..


Regards,
Juer

>-----Original Message-----
>From: Timothy Shimmin [mailto:tes@xxxxxxxxxxxxxxxxxxxxxxx]
>Sent: 19 December 2001 01:38
>To: Juer Lee
>Cc: linux-xfs@xxxxxxxxxxx
>Subject: Re: Question about default ACL
>
>
>Hi Juer,
>
>On Tue, Dec 18, 2001 at 10:53:33AM -0000, Juer Lee wrote:
>> Hello samba guys and XFS guys,
>> 
>> I am now using Linux-2.4.5-1.0.1_XFS and Samba 2.2.2.
>> Try to create a samba share on a XFS volume, for example, we create a
>> directory named 'public', and set its default acl on 'public' as
>> 'u::rwx,g::rw-,o::r--,m::rwx', . Under Linux box, try to 
>create a file
>> named 'file_linux' under directory 'public', On Samba client 
>(Win2K) try
>> to create a file named 'file_samba' under directory 'public'. 
>> After that I try to list the ACLs for them, what I got were:
>> chacl -l file_samba 
>> ------- u::rwx,g::rw-,o::rw-,m::rwx
>> chacl -l file_linux 
>> ------- u::rwx,g::rw-,o::r--,m::rw-                 ( this is what we
>> expected though the mask ACL is changed to m::rw- not m::rwx )
>> 
>> It seems that mask ACL has no effect on creating file on 
>samba client.
>> But I am wrong, repeat the steps listed below, just change 
>default acl
>> on 'public' as 'u::rwx,g::rw-,o::r--' without mask ACL, I 
>get the same
>> ACLs of file_linux and file_samba.
>> 
>> I am still afraid that I can't describe this case well, but 
>I hope I can
>> get some help from samba group or xfs group . 
>> 
>> :)
>> Juer
>> 
>
>(I initially wrote about default ACL and mask on June 12 and Aug 8 - 
> I'll paraphrase some of it here that may be relevant :)
>(I don't use Samba so I'll leave others to comment on the Samba side)
>
>---------------------------------------------------------------
>
>1 - Default ACLs
>When the access ACL for a file of a directory with a default ACL
>is created, it's ACE permissions are set by the _intersection_ of the
>respective default ACEs permission bits and the mode bits of the
>parameter to open/creat.
>If you have a MASK ACE (see Posix1003.1e section 5.3.1.2), then the 
>ACE permissions on the new file will have a MASK ACE equal to
>the intersection of the default MASK ACE permission bits
>and the standard group permission bits of the parameter to open/creat.
>(This is what you saw)
>
>So you don't just get the default ACL as your access ACL as you
>might expect !
>And Olaf pointed out that Samba sets the mode bits of the parameter
>to open/creat to something other than 777.
>Hmmm....but you seem to have _more_ permissions for "other" in 
>the samba side. I don't understand that.
>
>---------------------------------------------------------------
>
>2 - MASK ACE
>The MASK ACE is used for the intersection of permissions for
>USER, GROUP, and GROUP_OBJ ACEs
>when granting/denying permission for access.
>
>The standard group permission bits on a file usually mimick 
>the GROUP_OBJ ACE.
>However, if there is a MASK ACE, then the std group permissions 
>are set to match the MASK ACE permission bits 
>(see Posix1003.1e section 23.1.2 Relationship with File 
>permission Bits).
>
>(You didn't mention this one but you'll probably notice it:)
>
>---------------------------------------------------------------
>
>So for example, 
>if you have a default ACL of u::rwx,g::rw-,o::r--,m::rwx
>and you did 
>$ touch fred
>which does a creat with permission bits of 666 = rw-rw-rw-
>then you would get:
>    fred [u::rw-,g::rw-,o::r--,m::rw-]
>ls -l fred
>    -rw-rw-r-- fred
>the user-obj ACE of u::rwx would get intersected with creat's 
>user permissions of rw- and you'd get rw- for the user-obj ACE of fred.
>The mask ACE of m::rwx gets intersected with creat's group
>permissions of rw-  and you'd get rw- for the mask ACE of fred.
>
>If you had a default ACL of u::rwx,g::rw-,o::r--,m::---
>and you did
>$ touch fred
>then you would get:
>    fred [u::rw-,g::rw-,o::r--,m::---]
>ls -l fred
>    -rw----r-- fred
>The mask has no permissions, so the group file permissions as
>seen with ls(1) match the mask permissions.
>
>---------------------------------------------------------------
>
>As I said previously....
>| I hope I haven't confused you.
>| The standard can be equally confusing ;-)
>| 
>| The withdrawn Posix ACL standard can be downloaded at:
>|     http://wt.xpilot.org/posix.1e/download.html
>
>
>Kindest Regards,
>--Tim
>