[Acl-Devel] mask ACL
Andreas Gruenbacher
agruen at suse.de
Wed Apr 2 10:16:08 EST 2003
Hello Eric,
I am taking Buck and the rsync mailing list into the CC. Buck is the author of
the rsync patch, he may know more on that problem.
On Wednesday 02 April 2003 00:16, Eric Chen wrote:
> From my understanding, the effecive rights mask 'limits the effective
> rights granted to all groups and to named users', so if you getfacl on a
> file, the group permissions will be overwritten by the effective rights
> mask permission.
You quote from the getfacl(1) man page, but you misread it. Getfacl does not
change any permissions. The group permissions are not overwritten.
Please see the acl(5) manual page, particularly section "CORRESPONDENCE
BETWEEN ACL ENTRIES AND FILE PERMISSION BITS" on the relation between (a)
what stat(2) reports and `ls -l' displays, and (b) the ACL entries. Also
check section "ACCESS CHECK ALGORITHM" on the resulting permissions. There is
also some more extensive coverage under "New ACL chapter in the SuSE manuals"
and "http://www.suse.de/~agruen/acl/overview/" at
<http://www.suse.de/~agruen/acl/>.
> # file: winfile
> # owner: 504
> # group: 500
> user::rwx
> group::rw- #effective:---
> mask::---
> other::rw-
>
> Is there anyway that I can not have the effective rights mask overwrite the
> group permissions?
What Linux implements follows the IEEE 1003.1e specification draft 17. Under
this interpretation, the above ACL will show with `rwx---rw-' in directory
listings. What does getfacl show for the original file? I assume it's this
(header omitted):
user::rwx
group::rw-
other::rw-
If that is indeed the case, then the rsync patch adds a mask entry that is
wrong.
There are UNIX systems that implement slightly different versions of POSIX
ACLs, particularly Solaris. Solaris handles ACLs with four entries
differently. In four-entry ACLs Solaris always has identical permissions in
the owning group and mask entries. The four-entry ACL you show could map to
one of the following. All but the first case would hide the problem.
user::rwx
group::---
mask::---
other::rw-
user::rwx
group::rw-
mask::rw-
other::rw-
user::rwx
group::rw-
mask::rwx
other::rw-
ACLs with more that three entries are referred to as extended ACLs. All
extended ACLs have a mask entry. The mask entry masks the permissions of
named user entries, named group entries, and the owning group entry. There
are no exceptions to that.
> I am using rsync with the ACL patch, and when I backup a directory, the
> group permissions are not backed up because the original files do not have
> a mask in the ACL. The resulting files on the backup end up with the ACL
> that is shown above in winfile. Is there anything I can do on the ACL side
> of this problem, or do I have to modify rsync to handle this?
So getfacl only reports three ACL entries for the original files? If this is
the case then the rsync ACL patch is wrong in adding a fourth entry, and
needs to be fixed. Note that if I correectly understood Buck this patch is
more like a band-aid and was never intended to get integrated into rsync.
Cheers,
Andreas.
More information about the rsync
mailing list