From owner-freebsd-fs@FreeBSD.ORG Tue Oct 18 11:11:16 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BED116A41F; Tue, 18 Oct 2005 11:11:16 +0000 (GMT) (envelope-from rebehn@ant.uni-bremen.de) Received: from antsrv1.ant.uni-bremen.de (antsrv1.ant.uni-bremen.de [134.102.176.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0346A43D48; Tue, 18 Oct 2005 11:11:15 +0000 (GMT) (envelope-from rebehn@ant.uni-bremen.de) Received: from bremerhaven.ant.uni-bremen.de ([134.102.176.10]) by antsrv1.ant.uni-bremen.de with esmtp (Exim 4.54 (FreeBSD)) id 1ERpNB-000FT9-Di; Tue, 18 Oct 2005 13:11:13 +0200 Message-ID: <4354D850.8060908@ant.uni-bremen.de> Date: Tue, 18 Oct 2005 13:11:12 +0200 From: Heinrich Rebehn User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050831 Debian/1.7.8-1sarge2 X-Accept-Language: en MIME-Version: 1.0 To: Victor Sudakov References: <434F4FF8.9050903@ant.uni-bremen.de> <20051014064145.GA40856@admin.sibptus.tomsk.ru> <434F9DAE.6070607@ant.uni-bremen.de> <20051014134820.GA43849@admin.sibptus.tomsk.ru> <20051014203021.L66014@fledge.watson.org> <435351F7.10101@ant.uni-bremen.de> <20051017141609.GA83692@admin.sibptus.tomsk.ru> In-Reply-To: <20051017141609.GA83692@admin.sibptus.tomsk.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-fs@freebsd.org, Robert Watson Subject: Re: Problem with default ACLs and mask X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 11:11:16 -0000 Victor Sudakov wrote: > Heinrich Rebehn wrote: > >>Why is the write bit of the mask reset when removing write perms for >>group? Is this really intended? > > > Yes, it is intended, whether it was a good idea or not. > > Quoting from setfacl(1) > > Traditional POSIX interfaces acting on file system object modes have mod- > ified semantics in the presence of POSIX.1e extended ACLs. When a mask > entry is present on the access ACL of an object, the mask entry is sub- > stituted for the group bits; this occurs in programs such as stat(1) or > >> ls(1). When the mode is modified on an object that has a mask entry, the >> changes applied to the group bits will actually be applied to the mask >> entry. These semantics provide for greater application compatibility: > > applications modifying the mode instead of the ACL will see conservative > behavior, limiting the effective rights granted by all of the additional > user and group entries; this occurs in programs such as chmod(1). > > Very sad :-( It really seems to be impossible to implment something like a "Group Manager" enabling me to delegate priviliges for a group of users to some non-root person. Where is that code located so i could patch it myself? --Heinrich