Date: Tue, 27 Mar 2007 10:36:57 GMT From: Cédric Jonas<cedric@decemplex.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/110915: ACL's don't work with SUIDDIR Message-ID: <200703271036.l2RAavvV015400@www.freebsd.org> Resent-Message-ID: <200703271050.l2RAo4HC065642@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 110915 >Category: misc >Synopsis: ACL's don't work with SUIDDIR >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 27 10:50:04 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Cédric Jonas >Release: FreeBSD 6.2-RELEASE >Organization: >Environment: FreeBSD project.decemplex.net 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #1: Wed Mar 21 16:20:37 CET 2007 cedric@nyx.decemplex.net:/usr/obj/usr/src/sys/NYX i386 >Description: I'm using FreeBSD 6.2-RELEASE, with suiddir set as option in kernel config and fstab (+ acl support). My goal is to have a directory (precisely a SVN repo) writable by X specific users, where all created/modified files remain owned by svn. I tried following: drwx------ 7 svn users 512 21 Mär 17:30 braintrust => user thomas CANT'T write in braintrust setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx braintrust/ drwx------ 7 svn users 512 21 Mär 17:31 braintrust => user thomas CAN'T write in braintrust - but he got an default ACL that will apply on all created files in braintrust setfacl -m u:thomas:rwx braintrust/ drwxrwx---+ 7 svn users 512 21 Mär 17:34 braintrust => user thomas CAN write in braintrust - and all created files in braintrust got the default ACL chmod +s braintrust/ drwsrws---+ 7 svn users 512 21 Mär 17:35 braintrust => braintrust get the suidbit/sgidbit, and all files created by thomas in braintrust should be owned by svn|users BUT: after +s, user thomas CAN'T write anymore in braintrust, the error is not "Permission denied", but "Operation not permitted". However, he can read the directory content. If I do the same with a directory that hasn't ACL's, it works as expected... If I understand the manpages correctly, this isn't the correct behavior, but a bug. The problem isn't unknown: http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011786.html http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011797.html And I post it also on the mailing list: http://lists.freebsd.org/pipermail/freebsd-fs/2007-March/002811.html I'm available if help is needed. >How-To-Repeat: A kernel with UFS_ACL and SUIDDIR support is needed. Also, the file system must be mounted with both options. cd /tmp mkdir testDir chmod u=rwx,g=,o= testDir chown svn:users testDir setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx testDir/ setfacl -m u:thomas:rwx testDir/ As user thomas: touch testDir/testFile1 chmod +s testDir/ As user thomas: touch testDir/testFile2 Replace usernames with yours, but don't use root as testDir owner, it must be a different user. >Fix: No known fix. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703271036.l2RAavvV015400>