Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Aug 2003 15:38:16 -0400 (EDT)
From:      Robert Watson <rwatson@freebsd.org>
To:        "=?iso-8859-2?Q?Branko_F._Gra=E8nar?=" <bfg@noviforum.si>
Cc:        freebsd-current@freebsd.org
Subject:   Re: 5.1-R acl problem (again)
Message-ID:  <Pine.NEB.3.96L.1030809153034.49407A-100000@fledge.watson.org>
In-Reply-To: <008801c35ea3$ea062fa0$fac8a8c0@MORDOR>

next in thread | previous in thread | raw e-mail | index | archive | help

On Sat, 9 Aug 2003, [iso-8859-2] Branko F. Gra=E8nar wrote:

> Now i create directory /export/a. I want to be owned by root:wheel,
> others will no have any access at all and i want that user branko will
> have rw access to it.=20
>=20
> # mkdir a
>=20
> # getfacl a
> #file:a
> #owner:0
> #group:0
> user::rwx
> group::r-x
> other::r-x
>=20
> # setfacl -m u::rwx,g::rx,o::---,u:branko:rwx a
>=20
> # getfacl a
> #file:a
> #owner:0
> #group:0
> user::rwx
> user:branko:rwx
> group::r-x
> mask::rwx
> other::---
>=20
> (testing as branko - works okay)
>=20
> Now, if root creates some files (od dirs) in 'a', owner of that file
> will be root and only standard unix triple acl will be assigned, so that
> user branko will not be able to access that file read/write.
>=20
> Well, it seems, that default directory acl need to be set to achive
> above goal.=20
>=20
> # setfacl -b a

This strips your extended access ACL from a, so it now just has owner,
group, and other fields; however, there appears to be an inconsistency in
the POSIX.2c spec regarding using -b without -n -- to make all the entries
disappear and not recalculate a mask, you need "-bn".  We might want to
change this beahvior.

> # setfacl -dm u::rwx,g::rwx,o::--,u:branko:rwx a

A default ACL should now be set, and will be visible if you use "getfacl
-d a".

> # getfacl a
> #file:a
> #owner:0
> #group:0
> user::rwx
> group::r-x
> mask::r-x
> other::---
>=20
> WHOOPS, where is user branko?! Why group's acls was not altered from
> 'r-x' to 'rwx' ?!=20

Do you mean to use "getfacl -d" here?  This looks like the correct access
ACL.  Try touch a/b, then getfacl a/b, and you'll see the ACL derived from
the default ACL.

> Ofcourse, trying to access directory 'a' as branko doesn't succeed.

The commands you used denied access to user branko.  In POSIX.1e, there
are two kinds of ACLs: access, and default.  Access ACLs are used for
access control, and default ACLs are used to determine the default and
access ACLs of new objects created in a directory.  So if you create a/b,
b will have the access ACL derived from the default ACL on a.

Note that in 5.1-CURRENT, we've changed the semantics for merging the
umask, creation mode, and default ACL, and will probably tweak them a bit
more, but you should be able to see fairly reasonable default ACL behavior
in 5.1 -- certainly visible behavior.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030809153034.49407A-100000>