[Acl-Devel] mask ACL

Andreas Gruenbacher agruen at suse.de
Wed Apr 2 10:16:08 EST 2003 

Hello Eric,

I am taking Buck and the rsync mailing list into the CC. Buck is the author of 
the rsync patch, he may know more on that problem.

On Wednesday 02 April 2003 00:16, Eric Chen wrote:
> From my understanding, the effecive rights mask 'limits the effective
> rights granted to all groups and to named users', so if you getfacl on a
> file, the group permissions will be overwritten by the effective rights
> mask permission.

You quote from the getfacl(1) man page, but you misread it. Getfacl does not 
change any permissions. The group permissions are not overwritten.

Please see the acl(5) manual page, particularly section "CORRESPONDENCE 
BETWEEN ACL ENTRIES AND FILE PERMISSION BITS" on the relation between (a) 
what stat(2) reports and `ls -l' displays, and (b) the ACL entries. Also 
check section "ACCESS CHECK ALGORITHM" on the resulting permissions. There is 
also some more extensive coverage under "New ACL chapter in the SuSE manuals" 
and "http://www.suse.de/~agruen/acl/overview/" at 
<http://www.suse.de/~agruen/acl/>.


> # file: winfile
> # owner: 504
> # group: 500
> user::rwx
> group::rw-		#effective:---
> mask::---
> other::rw-
>
> Is there anyway that I can not have the effective rights mask overwrite the
> group permissions?

What Linux implements follows the IEEE 1003.1e specification draft 17. Under 
this interpretation, the above ACL will show with `rwx---rw-' in directory 
listings. What does getfacl show for the original file? I assume it's this 
(header omitted):

	user::rwx
	group::rw-
	other::rw-

If that is indeed the case, then the rsync patch adds a mask entry that is 
wrong.

There are UNIX systems that implement slightly different versions of POSIX 
ACLs, particularly Solaris. Solaris handles ACLs with four entries 
differently. In four-entry ACLs Solaris always has identical permissions in 
the owning group and mask entries. The four-entry ACL you show could map to 
one of the following. All but the first case would hide the problem.

	user::rwx
	group::---
	mask::---
	other::rw-

	user::rwx
	group::rw-
	mask::rw-
	other::rw-

	user::rwx
	group::rw-
	mask::rwx
	other::rw-

ACLs with more that three entries are referred to as extended ACLs. All 
extended ACLs have a mask entry. The mask entry masks the permissions of 
named user entries, named group entries, and the owning group entry. There 
are no exceptions to that.

> I am using rsync with the ACL patch, and when I backup a directory, the
> group permissions are not backed up because the original files do not have
> a mask in the ACL. The resulting files on the backup end up with the ACL
> that is shown above in winfile. Is there anything I can do on the ACL side
> of this problem, or do I have to modify rsync to handle this?

So getfacl only reports three ACL entries for the original files? If this is 
the case then the rsync ACL patch is wrong in adding a fourth entry, and 
needs to be fixed. Note that if I correectly understood Buck this patch is 
more like a band-aid and was never intended to get integrated into rsync.


Cheers,
Andreas.

More information about the rsync mailing list