[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Query about setfacl behavior

To: Timothy Shimmin <tes@boing.melbourne.sgi.com>
Subject: Re: Query about setfacl behavior
From: Andreas Gruenbacher <ag@bestbits.at>
Date: Wed, 1 May 2002 12:44:39 +0200 (CEST)
Cc: <jtrostel@snapserver.com>, <linux-xfs@oss.sgi.com>
In-reply-to: <20020501191158.R793932@boing.melbourne.sgi.com>
Sender: owner-linux-xfs@oss.sgi.com

On Wed, 1 May 2002, Timothy Shimmin wrote:

> Hi John,
>
> I now have more of an idea of what is happening -
> I'll need to get some feedback from Andreas G. on
> setfacl(1) for this.
>
> If I have:
>
> [root@sagan xfs1]# getfacl wow
> # file: wow
> # owner: root
> # group: root
> user::r-x
> group::rw-                      #effective:---
> mask::---
> other::r--
>
> [root@sagan xfs1]# ls -l | grep 'wow$'
> dr-x---r--    2 root     root            6 May  1 16:02 wow
>
>
> And I use setfacl compiled to allow -t, I see:
>
> [root@sagan xfs1]# setfacl -m u::--- -t wow
> wow: u::---,g::rw-,m::rw-,o::r--,*
>
> i.e.
> setfacl is about to set the acl with a mask ACE of m::rw-
> even though the mask ACE is currently m::---.
> It seems that setfacl(1) is looking at the GROUP_OBJ ace and
> setting the mask ACE to this !
>
> In XFS, if we have a mask ACE then it is kept in sync with the
> group permissions (as per the standard),
> but the GROUP_OBJ ACE is left unaltered.
> So setfacl(1) is sync'ing the mask ACE with the GROUP_OBJ ACE
> and we are in trouble.
> The question is, why is setfacl(1) doing this ?

Because this is what setfacl is supposed to do accorindg to the
specification.

Unless the -n option is not used, setfacl recalculates the permissions in
the ACL mask entry whenever the ACL changes, as long as no mask entry is
explicitly given. The permissions are set to the union of the permissions
of all ACL_USER, ACL_GROUP_OBJ, and ACL_GROUP entries. This gives:

$ touch f
$ setfacl -m u:joe:rw,m::r f
$ getfacl f
# file: f
# owner: ag
# group: users
user::rw-
user:joe:rw-                    #effective:r--
group::r--
mask::r--
other::r--

$ setfacl -m u:lisa:rw f
$ # file: f
# owner: ag
# group: users
user::rw-
user:joe:rw-
user:lisa:rw-
group::r--
mask::rw-
other::r--

Or, if -n had been used:

$ getfacl f
# file: f
# owner: ag
# group: users
user::rw-
user:joe:rw-                    #effective:r--
user:lisa:rw-                   #effective:r--
group::r--
mask::r--
other::r--


Cheers,
Andreas.

------------------------------------------------------------------------
 Andreas Gruenbacher, a.gruenbacher@computer.org
 Contact information: http://www.bestbits.at/~ag/

Follow-Ups:
- Re: Query about setfacl behavior
  - From: Timothy Shimmin <tes@boing.melbourne.sgi.com>

References:
- Re: Query about setfacl behavior
  - From: Timothy Shimmin <tes@boing.melbourne.sgi.com>

Prev by Date: Re: Query about setfacl behavior
Next by Date: Re: [Acl-Devel] Query about setfacl behavior
Previous by thread: Re: Query about setfacl behavior
Next by thread: Re: Query about setfacl behavior
Index(es):
- Date
- Thread