From owner-freebsd-current@FreeBSD.ORG Sat Aug 9 12:38:36 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35C4C37B401 for ; Sat, 9 Aug 2003 12:38:36 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAC4943FBD for ; Sat, 9 Aug 2003 12:38:34 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h79JcHAL051055; Sat, 9 Aug 2003 15:38:17 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h79JcGv1051052; Sat, 9 Aug 2003 15:38:16 -0400 (EDT) Date: Sat, 9 Aug 2003 15:38:16 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "=?iso-8859-2?Q?Branko_F._Gra=E8nar?=" In-Reply-To: <008801c35ea3$ea062fa0$fac8a8c0@MORDOR> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: freebsd-current@freebsd.org Subject: Re: 5.1-R acl problem (again) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2003 19:38:36 -0000 On Sat, 9 Aug 2003, [iso-8859-2] Branko F. Gra=E8nar wrote: > Now i create directory /export/a. I want to be owned by root:wheel, > others will no have any access at all and i want that user branko will > have rw access to it.=20 >=20 > # mkdir a >=20 > # getfacl a > #file:a > #owner:0 > #group:0 > user::rwx > group::r-x > other::r-x >=20 > # setfacl -m u::rwx,g::rx,o::---,u:branko:rwx a >=20 > # getfacl a > #file:a > #owner:0 > #group:0 > user::rwx > user:branko:rwx > group::r-x > mask::rwx > other::--- >=20 > (testing as branko - works okay) >=20 > Now, if root creates some files (od dirs) in 'a', owner of that file > will be root and only standard unix triple acl will be assigned, so that > user branko will not be able to access that file read/write. >=20 > Well, it seems, that default directory acl need to be set to achive > above goal.=20 >=20 > # setfacl -b a This strips your extended access ACL from a, so it now just has owner, group, and other fields; however, there appears to be an inconsistency in the POSIX.2c spec regarding using -b without -n -- to make all the entries disappear and not recalculate a mask, you need "-bn". We might want to change this beahvior. > # setfacl -dm u::rwx,g::rwx,o::--,u:branko:rwx a A default ACL should now be set, and will be visible if you use "getfacl -d a". > # getfacl a > #file:a > #owner:0 > #group:0 > user::rwx > group::r-x > mask::r-x > other::--- >=20 > WHOOPS, where is user branko?! Why group's acls was not altered from > 'r-x' to 'rwx' ?!=20 Do you mean to use "getfacl -d" here? This looks like the correct access ACL. Try touch a/b, then getfacl a/b, and you'll see the ACL derived from the default ACL. > Ofcourse, trying to access directory 'a' as branko doesn't succeed. The commands you used denied access to user branko. In POSIX.1e, there are two kinds of ACLs: access, and default. Access ACLs are used for access control, and default ACLs are used to determine the default and access ACLs of new objects created in a directory. So if you create a/b, b will have the access ACL derived from the default ACL on a. Note that in 5.1-CURRENT, we've changed the semantics for merging the umask, creation mode, and default ACL, and will probably tweak them a bit more, but you should be able to see fairly reasonable default ACL behavior in 5.1 -- certainly visible behavior. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories