[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Query about setfacl behavior

To: jtrostel@snapserver.com
Subject: Re: Query about setfacl behavior
From: Timothy Shimmin <tes@boing.melbourne.sgi.com>
Date: Wed, 1 May 2002 19:11:58 +1000
Cc: linux-xfs@oss.sgi.com, ag@bestbits.at
In-reply-to: <20020501172550.Q793932@boing.melbourne.sgi.com>; from tes@boing.melbourne.sgi.com on Wed, May 01, 2002 at 05:25:50PM +1000
References: <XFMail.20020430132028.jtrostel@snapserver.com> <20020501172550.Q793932@boing.melbourne.sgi.com>
Sender: owner-linux-xfs@oss.sgi.com

Hi John,

I now have more of an idea of what is happening -
I'll need to get some feedback from Andreas G. on
setfacl(1) for this.

If I have:

[root@sagan xfs1]# getfacl wow
# file: wow
# owner: root
# group: root
user::r-x
group::rw-                      #effective:---
mask::---
other::r--

[root@sagan xfs1]# ls -l | grep 'wow$'
dr-x---r--    2 root     root            6 May  1 16:02 wow


And I use setfacl compiled to allow -t, I see:

[root@sagan xfs1]# setfacl -m u::--- -t wow
wow: u::---,g::rw-,m::rw-,o::r--,*

i.e. 
setfacl is about to set the acl with a mask ACE of m::rw-
even though the mask ACE is currently m::---.
It seems that setfacl(1) is looking at the GROUP_OBJ ace and
setting the mask ACE to this ! 

In XFS, if we have a mask ACE then it is kept in sync with the
group permissions (as per the standard), 
but the GROUP_OBJ ACE is left unaltered.
So setfacl(1) is sync'ing the mask ACE with the GROUP_OBJ ACE 
and we are in trouble.
The question is, why is setfacl(1) doing this ?
Andreas ?

Thanks a bunch,
Tim.


On Wed, May 01, 2002 at 05:25:50PM +1000, Timothy Shimmin wrote:
> On Tue, Apr 30, 2002 at 01:20:28PM -0400, jtrostel@snapserver.com wrote:
> > I am wondering if this is correct behavior...
> > 
> Yeah it looks wrong, John. 
> It looks like the mask ACE is getting the group permissions.
> 
> e.g.
> ========================================================
> [root@sagan xfs1]# getfacl wow
> # file: wow
> # owner: root
> # group: root
> user::r--
> group::rw-
> other::rwx
> 
> [root@sagan xfs1]# setfacl -m m::--- wow
> [root@sagan xfs1]# getfacl wow
> # file: wow
> # owner: root
> # group: root
> user::r--
> group::rw-                      #effective:---
> mask::---
> other::rwx
> 
> [root@sagan xfs1]# setfacl -m u::r-x wow
> [root@sagan xfs1]# getfacl wow
> # file: wow
> # owner: root
> # group: root
> user::r-x
> group::rw-
> mask::rw-
> other::rwx
> ========================================================
> 
> I'll look into it...
> 
> --Tim
> 
> 
> 
> > Using XFS CVS tip as of this morning (4/30/02) which gives me acl 2.0.10
> > 
> > [jt@jtsdevel xfs_part]$ getfacl --version
> > getfacl 2.0.10
> > 
> > Set up an xfs partition with acls as follows:
> > 
> > [jt@jtsdevel xfs_part]$ pwd
> > /mnt/xfs_part
> > [jt@jtsdevel xfs_part]$ getfacl .
> > # file: .
> > # owner: root
> > # group: root
> > user::rwx
> > group::rwx
> > mask::rwx
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:mask::rwx
> > default:other::rwx
> > 
> > I then created a new directoryon that partition, named jts_dir
> > 
> > [jt@jtsdevel xfs_part]$ mkdir jts_dir
> > 
> > [jt@jtsdevel xfs_part]$ getfacl jts_dir/
> > # file: jts_dir
> > # owner: jt
> > # group: jt
> > user::rwx
> > group::rwx
> > mask::rwx
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:mask::rwx
> > default:other::rwx
> > 
> > Now.. I added an auxillary user 'a1' to the access aces.
> > 
> > [jt@jtsdevel xfs_part]$ setfacl -m u:a1:rwx jts_dir/
> > [jt@jtsdevel xfs_part]$ getfacl jts_dir/
> > # file: jts_dir
> > # owner: jt
> > # group: jt
> > user::rwx
> > user:a1:rwx
> > group::rwx
> > mask::rwx
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:mask::rwx
> > default:other::rwx
> > 
> > Change the mask ace to no perms
> > 
> > [jt@jtsdevel xfs_part]$ setfacl -m m::--- jts_dir/
> > [jt@jtsdevel xfs_part]$ getfacl jts_dir/
> > # file: jts_dir
> > # owner: jt
> > # group: jt
> > user::rwx
> > user:a1:rwx                     #effective:---
> > group::rwx                      #effective:---
> > mask::---
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:mask::rwx
> > default:other::rwx
> > 
> > NOW!  Change the aux. user 'a1' perms to something else, for instance 'rw'. The
> > mask ace is also changed now. (It went from --- to rwx)  Why?
> > 
> > 
> > [jt@jtsdevel xfs_part]$ setfacl -m u:a1:rw jts_dir/
> > [jt@jtsdevel xfs_part]$ getfacl jts_dir/
> > # file: jts_dir
> > # owner: jt
> > # group: jt
> > user::rwx
> > user:a1:rw-
> > group::rwx
> > mask::rwx
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:mask::rwx
> > default:other::rwx
> > 
> > P.S. (For XFS folks: chacl -l returns the same values)
> > 
> > -- 
> > John M. Trostel
> > Senior Software Engineer
> > Quantum Corp. / NASD
> > jtrostel@snapserver.com
> > 
>

Follow-Ups:
- Re: Query about setfacl behavior
  - From: Andreas Gruenbacher <ag@bestbits.at>

References:
- Re: Query about setfacl behavior
  - From: Timothy Shimmin <tes@boing.melbourne.sgi.com>

Prev by Date: Re: Chattr
Next by Date: Re: Query about setfacl behavior
Previous by thread: Re: Query about setfacl behavior
Next by thread: Re: Query about setfacl behavior
Index(es):
- Date
- Thread