Problem with extended ACLs in 3.0.4?
Matt McCutchen
matt at mattmccutchen.net
Sun Nov 2 21:10:23 GMT 2008
On Sun, 2008-11-02 at 20:48 +0000, Andrew Gideon wrote:
> As you'll see below, -A yields the same results:
>
>
> [root at house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> group::r-x
> mask::r-x
> other::r-x
>
> getfacl: f2: No such file or directory
> [root at house0 t]# rsync -aA -v --itemize-changes f1 f2
> sending incremental file list
> >f+++++++++ f1
>
> sent 77 bytes received 31 bytes 216.00 bytes/sec
> total size is 0 speedup is 0.00
> [root at house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> group::r-x
> mask::r-x
> other::r-x
>
> # file: f2
> # owner: adm
> # group: sys
> user::r-x
> group::r-x
> other::r-x
>
> [root at house0 t]#
>
> As far as I can tell, this is somehow the result of the
> particular ACL state of f1. If I tweak it slightly, all
> works as one would expect. For example:
>
> [root at house0 t]# setfacl -m u:andrew:r-x f1
> [root at house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> user:andrew:r-x
> group::r-x
> mask::r-x
> other::r-x
>
> getfacl: f2: No such file or directory
> [root at house0 t]# rsync -aA -v --itemize-changes f1 f2
> sending incremental file list
> >f+++++++++ f1
>
> sent 88 bytes received 31 bytes 238.00 bytes/sec
> total size is 0 speedup is 0.00
> [root at house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> user:andrew:r-x
> group::r-x
> mask::r-x
> other::r-x
>
> # file: f2
> # owner: adm
> # group: sys
> user::r-x
> user:andrew:r-x
> group::r-x
> mask::r-x
> other::r-x
Ah. Rsync seems to be dropping a mask entry when there are no named
user or group entries. That's not an unreasonable thing to do on a
system that does not require a mask, and I think the idea was to avoid
receiving superfluous masks from a system that does require them. I
guess one could still make the argument that the ACLs should be copied
exactly.
I found a bigger problem: rsync seems to use the mask permissions as the
group permissions, potentially granting undesired access. To see this,
run the following:
setfacl -k .
umask 0077
touch srcfile
setfacl -m m::r-- srcfile
rsync -A srcfile destfile
getfacl srcfile destfile
I get these results (on Linux):
# file: srcfile
# owner: matt
# group: matt
user::rw-
group::---
mask::r--
other::---
# file: destfile
# owner: matt
# group: matt
user::rw-
group::r--
other::---
Fixing this in a way that works with all combinations of mask-requiring
and non-mask-requiring systems will take some care. We discussed
similar issues a while ago:
http://lists.samba.org/archive/rsync/2006-October/016400.html
I'll have to reread that thread.
Matt
More information about the rsync
mailing list