Date: Sat, 18 Jun 2005 03:02:52 -0400 From: "Mark G." <mark-fbsd-quest-01@giovannetti.ca> To: freebsd-questions@freebsd.org Cc: Nathanael Jean-Francois <saybsd@yahoo.com> Subject: Re: default acl's permissions problem [continuation?] Message-ID: <42B3C71C.4050203@giovannetti.ca> In-Reply-To: <20050605091401.2796.qmail@web31005.mail.mud.yahoo.com> References: <20050605091401.2796.qmail@web31005.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nathanael Jean-Francois wrote: > Hi all, > I've run into the little snag with default acl > permissions, the issue was brought up in this thread > http://marc.theaimsgroup.com/?l=freebsd-questions&m=111118504532207&w=2 > but there was no reply to it and my digging so far > hasn't turned up anything substantial. If anyone knows > of a solution for this please let me know. Thanks > > -Nathanael > Hello, I don't understand the acl and mask support for defaults. But I have found a way to make them work as I *think* they should. Here is an example similar to the one in the link you provided. # mount /dev/ad2s1h on /home (ufs, local, soft-updates, acls) # cd /home # mkdir cvsroot # chown cvs:cvs cvsroot # chmod 2770 cvsroot # ls -la drwxrws--- 2 cvs cvs 512 Jun 17 23:46 cvsroot/ # umask 22 # touch cvsroot/te # ls -la cvsroot/te -rw-r--r-- 1 root cvs 0 Jun 17 23:48 cvsroot/te # umask 0007 <----- this turns out to be the solution. # touch cvsroot/tes # ls -la cvsroot/tes -rw-rw---- 1 root cvs 0 Jun 18 02:00 cvsroot/tes Now for the acls part. # setfacl -d -m u::rwx,m::rwx,g::rwx,o::--- cvsroot/ # getfacl -d cvsroot/ #file:cvsroot/ #owner:1012 #group:1012 user::rwx group::rwx mask::rwx other::--- Ok, so far so good. # touch cvsroot/test # getfacl cvsroot/test #file:cvsroot/test #owner:0 #group:1012 user::rw- group::rwx # effective: rw- mask::rw- other::--- Hmmm. Ok, so it didn't make it executable. A good thing. Add some groups to the default acl on cvsroot/ # setfacl -d -m g:cvsuser:r-x,g:cvsadmin:rwx cvsroot/ # getfacl -d cvsroot/ #file:cvsroot/ #owner:1012 #group:1012 user::rwx group::rwx group:cvsuser:r-x group:cvsadmin:rwx mask::rwx other::--- Now the acl entries on cvsroot/ itself: # setfacl -m g:cvsuser:r-x,g:cvsadmin:rwx cvsroot/ # getfacl cvsroot/ #file:cvsroot/ #owner:1012 #group:1012 user::rwx group::rwx group:cvsuser:r-x group:cvsadmin:rwx mask::rwx other::--- What I Want 1. All new files created to be read for cvsuser. 2. New directories to be read/exec for cvsuser. 3. All files created to be read/write for cvsadmin. 4. New directories to be read/write/exec for cvsadmin. 5. The defaults will propagate down the tree so that sub-sub directories inherit the same permissions. 6. The user and group cvs has full control. 7. Any other users have no permissions. What I Get # mkdir cvsroot/dir1 # touch cvsroot/file1 # ls -lad cvsroot/* drwxrwx---+ 2 root cvs 512 Jun 18 02:19 cvsroot/dir1/ -rw-rw----+ 1 root cvs 0 Jun 18 02:19 cvsroot/file1 Looks OK from that angle. Items 6 and 7 are satisfied. # getfacl cvsroot/* #file:cvsroot/dir1 #owner:0 #group:1012 user::rwx group::rwx group:cvsuser:r-x group:cvsadmin:rwx mask::rwx other::--- Good. Items 2 and 4 are satisfied. #file:cvsroot/file1 #owner:0 #group:1012 user::rw- group::rwx # effective: rw- group:cvsuser:r-x # effective: r-- group:cvsadmin:rwx # effective: rw- mask::rw- other::--- Better. Items 1 and 3 are satisfied. Finally: # getfacl -d cvsroot/dir1 #file:cvsroot/dir1 #owner:0 #group:1012 user::rwx group::rwx group:cvsuser:r-x group:cvsadmin:rwx mask::rwx other::--- # touch cvsroot/dir1/file2 # mkdir cvsroot/dir1/dir2 # ls -lad cvsroot/dir1/* drwxrwx---+ 2 root cvs 512 Jun 18 02:26 cvsroot/dir1/dir2/ -rw-rw----+ 1 root cvs 0 Jun 18 02:26 cvsroot/dir1/file2 # getfacl -d cvsroot/dir1/dir2/ #file:cvsroot/dir1/dir2/ #owner:0 #group:1012 user::rwx group::rwx group:cvsuser:r-x group:cvsadmin:rwx mask::rwx other::--- # getfacl cvsroot/dir1/dir2/ #file:cvsroot/dir1/dir2/ #owner:0 #group:1012 user::rwx group::rwx group:cvsuser:r-x group:cvsadmin:rwx mask::rwx other::--- # getfacl cvsroot/dir1/file2 #file:cvsroot/dir1/file2 #owner:0 #group:1012 user::rw- group::rwx # effective: rw- group:cvsuser:r-x # effective: r-- group:cvsadmin:rwx # effective: rw- mask::rw- other::--- Excellent. Item 5 is satisfied. Those are all my requirements. This entire discovery process, although nice and tidy above, was filled with a certain amount of grief. It was only until I reset the umask to 0007 that things started to work as expected. Now this bothers me for two reasons. I don't want my umask to have to be 0007. What if I'm in a working directory that doesn't require propagating acls? Then I'm stuck setting my umask back to something sensible like 0027 before creating files without extended acl entries. I have a difficult time remembering little details like that. Not only that, but I'll have to remember to set it back to 0007 (or maybe 0000, horrors) if I want to use propagating acls and have them behave as I expect as shown above. I can easily set a process' umask through cron et al, but how do I set it for cvs users using the protocol :ext:server:/home/cvsroot with ssh? Can anyone explain this further? Thanks. Mark P.S. Below is the behaviour that perplexed me earlier. It is not what I expect and does not meet my requirements 1-7 above. I consider the application of the, shall we say, old umask context to the new acl context to be a design error of sorts. User mv and group cvsadmin are supposed to have write access to new files and directories. # umask 22 # mkdir dir1 # ls -la dir1 total 4 drwxr-xr-x 2 root wheel 512 Jun 18 02:43 ./ drwxr-xr-x 14 root wheel 512 Jun 18 02:43 ../ # setfacl -d -m u::rwx,m::rwx,g::r-x,o::--- dir1 # setfacl -m u::rwx,m::rwx,g::r-x,o::--- dir1 # getfacl dir1 #file:dir1 #owner:0 #group:0 user::rwx group::r-x mask::rwx other::--- # getfacl -d dir1 #file:dir1 #owner:0 #group:0 user::rwx group::r-x mask::rwx other::--- # setfacl -d -m u:mv:-w-,g:cvsadmin:rwx dir1 # setfacl -m u:mv:-w-,g:cvsadmin:rwx dir1 # getfacl dir1 #file:dir1 #owner:0 #group:0 user::rwx user:mv:-w- group::r-x group:cvsadmin:rwx mask::rwx other::--- # getfacl -d dir1 #file:dir1 #owner:0 #group:0 user::rwx user:mv:-w- group::r-x group:cvsadmin:rwx mask::rwx other::--- # touch dir1/file1 # mkdir dir1/dir2 # getfacl dir1/* #file:dir1/dir2 #owner:0 #group:0 user::rwx user:mv:-w- # effective: --- group::r-x group:cvsadmin:rwx # effective: r-x mask::r-x other::--- #file:dir1/file1 #owner:0 #group:0 user::rw- user:mv:-w- # effective: --- group::r-x # effective: r-- group:cvsadmin:rwx # effective: r-- mask::r-- other::--- Finally, for clarity, the following does meet the requirements: # umask 0007 # touch dir1/file2 # mkdir dir1/dir3 # getfacl dir1/* #file:dir1/dir3 #owner:0 #group:0 user::rwx user:mv:-w- group::r-x group:cvsadmin:rwx mask::rwx other::--- #file:dir1/file2 #owner:0 #group:0 user::rw- user:mv:-w- group::r-x # effective: r-- group:cvsadmin:rwx # effective: rw- mask::rw- other::---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B3C71C.4050203>