This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

setfacl(2.4.0.14): recalculation of the ACL mask entry


Hi Corinna,

According to acl(5), the mask entry (as reported by getacl) is "optional" if the acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ... Ahem.

VALID ACLs (from acl(5) )

A valid ACL contains exactly one entry with each of the ACL_USER_OBJ,
     ACL_GROUP_OBJ, and ACL_OTHER tag types. Entries with ACL_USER and
     ACL_GROUP tag types may appear zero or more times in an ACL. An ACL
that contains entries of ACL_USER or ACL_GROUP tag types must contain
     exactly one entry of the ACL_MASK tag type. If an ACL contains no
     entries of ACL_USER or ACL_GROUP tag types, the ACL_MASK entry is
     optional.

However, setfacl(1) and your setfacl also note, that the default behaviour of
setfacl is to recalculate the mask entry ...

%% setfacl -h
Usage: setfacl [-n] {-f ACL_FILE | -s acl_entries} FILE...
       setfacl [-n] {[-bk]|[-x acl_entries] [-m acl_entries]} FILE...
[snip]

-n, --no-mask
  Valid in conjunction with -m.  Do not recalculate the effective rights
mask. The default behavior of setfacl is to recalculate the ACL mask entry, unless a mask entry was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group
  entries.  (These are exactly the entries affected by the mask entry).
[snip]

I decided to experiment ... See below. (the mask entry is not recalculated, it
appears).

Regards,
Henri

-----
%% uname -a
CYGWIN_NT-6.1-WOW Seven 2.4.0(0.292/5/3) 2015-12-20 13:18 i686 Cygwin
%% id
uid=1000(Henri) gid=513(None) groups=513(None),1007(HelpLibraryUpdaters),559(Performance Log Users),545(Users),11(Authenticated Users)

%% touch foo.txt
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
other:r--

%% setfacl -m g:Replicator:rw- foo.txt
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
group:Replicator:rw-
mask:rw-
other:r--

%% setfacl -x g:Replicator: foo.txt # and remove it again
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
mask:rw- <==== mask is now optional according to acl(5), but ...
other:r--

%% ls -l foo.txt
-rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt <==== OK, but ...
%%

Ok, the permissions correspond with the mask (see acl(5) ), but according to setfacl(1),
the mask should have been recalculated ...

According to acl(5):
ACL ENTRIES

ACL_MASK  The ACL_MASK entry denotes the maximum access
          rights that can be granted by entries of type
          ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.

Recalculation by me in this case, yields: mask:r--

(perhaps, as suggested by Sam, I should retire ... it is all getting beyond
 simple is it not?)

 ### switch from user Henri to user Test
(can another user with the same gid, modify the file?)

%% pwd
/home/Test
%% cd ../Henri
%% id
uid=1006(Test) gid=513(None) groups=513(None),545(Users),11(Authenticated Users)
%% ls -l foo.txt
-rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt
%% echo Corinna > foo.txt
bash: foo.txt: Permission denied <==== OK, but the permissions as shown, are
                                       misleading, are they not?
%%

=====

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]