Date: Sat, 9 Aug 2003 19:41:52 +0200 From: =?iso-8859-2?Q?Branko_F._Gra=E8nar?= <bfg@noviforum.si> To: <freebsd-current@freebsd.org> Subject: 5.1-R acl problem (again) Message-ID: <008801c35ea3$ea062fa0$fac8a8c0@MORDOR>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi Today i added new disk partition to my 5.1-release box. I want to use ACLs, which are enabled in kernel, they work partialy. They work on a single directory or file, but they don't even apply to file/directory, when i try to set so called default ACL entry. I attached my kernel config file. Additionally, i've got loaded openbsd pf module (firewall). Any help would be very appreciated. Brane Command sequence was: # newfs -O 2 -L export -U -m 0 -o space /dev/ad0s2d ... lots of numbers ... # tunefs -a enable /dev/ad0s2d tunefs: ACLs set # mount /dev/ad0s2d /export # mount | grep /export /dev/ad0s2d on /export (ufs, local, soft-updates, acls) Now i create directory /export/a. I want to be owned by root:wheel, others will no have any access at all and i want that user branko will have rw access to it. # mkdir a # getfacl a #file:a #owner:0 #group:0 user::rwx group::r-x other::r-x # setfacl -m u::rwx,g::rx,o::---,u:branko:rwx a # getfacl a #file:a #owner:0 #group:0 user::rwx user:branko:rwx group::r-x mask::rwx other::--- (testing as branko - works okay) Now, if root creates some files (od dirs) in 'a', owner of that file will be root and only standard unix triple acl will be assigned, so that user branko will not be able to access that file read/write. Well, it seems, that default directory acl need to be set to achive above goal. # setfacl -b a # setfacl -dm u::rwx,g::rwx,o::--,u:branko:rwx a # getfacl a #file:a #owner:0 #group:0 user::rwx group::r-x mask::r-x other::--- WHOOPS, where is user branko?! Why group's acls was not altered from 'r-x' to 'rwx' ?! Ofcourse, trying to access directory 'a' as branko doesn't succeed. [-- Attachment #2 --] machine i386 cpu I686_CPU ident FROST options SCHED_4BSD #4BSD scheduler options INET #InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options SOFTUPDATES #Enable FFS soft updates support options UFS_ACL #Support for access control lists options UFS_DIRHASH #Improve performance on big directories options NFSCLIENT #Network Filesystem Client options NFSSERVER #Network Filesystem Server options NULLFS options PROCFS #Process filesystem (requires PSEUDOFS) options PSEUDOFS #Pseudo-filesystem framework options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 #Compatible with FreeBSD4 options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions device isa device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID #Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc # Floating point support - do not disable. device npx # Power management support (see NOTES for more options) device apm device acpi # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device sio # 8250, 16[45]50 based serial ports # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards device rl # RealTek # Pseudo devices - the number indicates how many units to allocate. device random # Entropy device device loop # Network loopback device ether # Ethernet support device ppp # Kernel PPP device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device tun # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device usb # USB Bus (required) device ugen # Generic device ulpt # Printer # ipsec options IPSEC options IPSEC_ESP options IPSEC_DEBUG # pppoe options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_PPPOE options NETGRAPH_SOCKET # ppp options PPP_BSDCOMP options PPP_DEFLATE options PPP_FILTER # linux options COMPAT_LINUX # PF options PFIL_HOOKS options RANDOM_IP_ID
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008801c35ea3$ea062fa0$fac8a8c0>