[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: default ACL?

To: Eric Peters <eric@peters.org>
Subject: Re: default ACL?
From: Timothy Shimmin <tes@boing.melbourne.sgi.com>
Date: Fri, 3 Aug 2001 13:51:30 +1000
Cc: linux-xfs@oss.sgi.com
In-reply-to: <00ce01c11ba2$bcb5af80$020144c0@windows>; from eric@peters.org on Thu, Aug 02, 2001 at 03:30:27PM -0700
References: <00ce01c11ba2$bcb5af80$020144c0@windows>
Sender: owner-linux-xfs@oss.sgi.com

Hi Eric:

On Thu, Aug 02, 2001 at 03:30:27PM -0700, Eric Peters wrote:
> I'm basically just trying to be able and delegate a group of users rw
> permission for a directory /www and all sub directories (or there would
> be 5 global accounts and a couple accounts could only access certain
> sub directories / etc)
>  
> The mask has me fairly confused I must say, in that despite having
> g::r-x:m::rwx, the directory has g+rwx

Yeah I find it weird myself.
But it seems to be part of the standard.
I emailed about this on June 12 to Sebastian Dransfeld.
Below is what I wrote to Sebastian about the application of a directory 
default ACL when a file is created inside the directory:
| When the access ACL for a file of a directory with a default ACL
| is created, it's ACE permissions are set by _intersection_ of the
| respective default ACEs permission bits and the mode bits of the
| parameter to open/creat.
| 
| So if the creat mode bits don't have the execute (x) bit set for user
| and other (which will depend on the application you use which makes the
| create/open call), then nor will the USER_OBJ ACEs and OTHER ACEs.
| Which is what you (Sebastian) saw.
| The GROUP_OBJ ACE is treated differently if a MASK ACE exists, as
| is the case in your example above. If we have a MASK ACE (see 5.3.1.2),
| then the GROUP_OBJ ACE is left alone, and the MASK ACE
| is intersected with the group permission bits of the creat parameter.
| The std group permissions bits on the file, however, are updated
| accordingly.
| If you did an "ls -l" on the file, then you would see that the
| group permission bits match the MASK ACE permission bits (see 23.1.2)
| that you see with "chacl -l".
| (If there was no MASK ACE then the GROUP_OBJ ACE would be intersected
|  with the group permissions as expected).
|
| I hope I haven't confused you.
| The standard can be equally confusing ;-)
| 
| The withdrawn Posix ACL standard can be downloaded at:
|     http://wt.xpilot.org/posix.1e/download.html
| 
| Andreas Gruenbacher's site has some useful info:
|     http://acl.bestbits.at

>  
> I also want an easy way for it all to be inherited - as well as only
> "directories" would be +x, where normal files wouldn't need the
> executable bit set
>  
> Are there any other utilities other than chacl for managing the ACLs?
Nathan Scott will soon check in ported versions of Andreas'
setfacl and getfacl ACL commands. 
(Currently, you'll need to preserve an ACE ordering in ACL specification
 for setfacl;
 however, I'll look into fixing this problem when the code is checked in).

--Tim

Follow-Ups:
- Re: default ACL?
  - From: "Eric Peters" <eric@peters.org>

References:
- default ACL?
  - From: "Eric Peters" <eric@peters.org>

Prev by Date: Re: FIX: World-writeable files repair script
Next by Date: Re: FIX: World-writeable files repair script
Previous by thread: default ACL?
Next by thread: Re: default ACL?
Index(es):
- Date
- Thread