From owner-freebsd-current@FreeBSD.ORG Sat Aug 9 11:28:12 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E59CD37B404 for ; Sat, 9 Aug 2003 11:28:12 -0700 (PDT) Received: from frost.ath.cx (BSN-95-242-77.dsl.siol.net [193.95.242.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 355D743FBF for ; Sat, 9 Aug 2003 11:28:10 -0700 (PDT) (envelope-from bfg@noviforum.si) Received: from MORDOR (mordor.lucky.si [192.168.200.250]) by frost.ath.cx (ESMTP) with SMTP id 390F9F for ; Sat, 9 Aug 2003 20:28:15 +0200 (CEST) Message-ID: <008801c35ea3$ea062fa0$fac8a8c0@MORDOR> From: =?iso-8859-2?Q?Branko_F._Gra=E8nar?= To: Date: Sat, 9 Aug 2003 19:41:52 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0086_01C35EAE.486A43B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: 5.1-R acl problem (again) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2003 18:28:13 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0086_01C35EAE.486A43B0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Hi Today i added new disk partition to my 5.1-release box. I want to use = ACLs, which are enabled in kernel, they work partialy. They work on a = single directory or file, but they don't even apply to file/directory, = when i try to set so called default ACL entry. I attached my kernel config file. Additionally, i've got loaded openbsd = pf module (firewall). Any help would be very appreciated. Brane Command sequence was: # newfs -O 2 -L export -U -m 0 -o space /dev/ad0s2d ... lots of numbers ... # tunefs -a enable /dev/ad0s2d tunefs: ACLs set # mount /dev/ad0s2d /export # mount | grep /export /dev/ad0s2d on /export (ufs, local, soft-updates, acls) Now i create directory /export/a. I want to be owned by root:wheel, = others will no have any access at all and i want that user branko will = have rw access to it. # mkdir a # getfacl a #file:a #owner:0 #group:0 user::rwx group::r-x other::r-x # setfacl -m u::rwx,g::rx,o::---,u:branko:rwx a # getfacl a #file:a #owner:0 #group:0 user::rwx user:branko:rwx group::r-x mask::rwx other::--- (testing as branko - works okay) Now, if root creates some files (od dirs) in 'a', owner of that file = will be root and only standard unix triple acl will be assigned, so that = user branko will not be able to access that file read/write.=20 Well, it seems, that default directory acl need to be set to achive = above goal. # setfacl -b a # setfacl -dm u::rwx,g::rwx,o::--,u:branko:rwx a # getfacl a #file:a #owner:0 #group:0 user::rwx group::r-x mask::r-x other::--- WHOOPS, where is user branko?! Why group's acls was not altered from = 'r-x' to 'rwx' ?! Ofcourse, trying to access directory 'a' as branko doesn't succeed. ------=_NextPart_000_0086_01C35EAE.486A43B0 Content-Type: text/plain; name="config.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="config.txt" machine i386 cpu I686_CPU ident FROST options SCHED_4BSD #4BSD scheduler options INET #InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options SOFTUPDATES #Enable FFS soft updates support options UFS_ACL #Support for access control = lists options UFS_DIRHASH #Improve performance on big = directories options NFSCLIENT #Network Filesystem Client options NFSSERVER #Network Filesystem Server options NULLFS options PROCFS #Process filesystem (requires = PSEUDOFS) options PSEUDOFS #Pseudo-filesystem framework options COMPAT_43 #Compatible with BSD 4.3 [KEEP = THIS!] options COMPAT_FREEBSD4 #Compatible with FreeBSD4 options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time = extensions device isa device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID #Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc # Floating point support - do not disable. device npx # Power management support (see NOTES for more options) device apm device acpi # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device sio # 8250, 16[45]50 based serial ports # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these = NICs! device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device ed # NE[12]000, SMC Ultra, 3c503, DS8390 = cards device rl # RealTek # Pseudo devices - the number indicates how many units to allocate. device random # Entropy device device loop # Network loopback device ether # Ethernet support device ppp # Kernel PPP device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device tun # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device usb # USB Bus (required) device ugen # Generic device ulpt # Printer # ipsec options IPSEC options IPSEC_ESP options IPSEC_DEBUG # pppoe options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_PPPOE options NETGRAPH_SOCKET # ppp options PPP_BSDCOMP options PPP_DEFLATE options PPP_FILTER # linux options COMPAT_LINUX # PF options PFIL_HOOKS options RANDOM_IP_ID ------=_NextPart_000_0086_01C35EAE.486A43B0--