Problem with extended ACLs in 3.0.4?

Matt McCutchen matt at mattmccutchen.net
Sun Nov 2 21:10:23 GMT 2008 

On Sun, 2008-11-02 at 20:48 +0000, Andrew Gideon wrote:
> As you'll see below, -A yields the same results:
> 
> 
> 	[root at house0 t]# getfacl f1 f2
> 	# file: f1
> 	# owner: adm
> 	# group: sys
> 	user::r-x
> 	group::r-x
> 	mask::r-x
> 	other::r-x
> 	
> 	getfacl: f2: No such file or directory
> 	[root at house0 t]# rsync -aA -v --itemize-changes f1 f2
> 	sending incremental file list
> 	>f+++++++++ f1
> 	
> 	sent 77 bytes  received 31 bytes  216.00 bytes/sec
> 	total size is 0  speedup is 0.00
> 	[root at house0 t]# getfacl f1 f2
> 	# file: f1
> 	# owner: adm
> 	# group: sys
> 	user::r-x
> 	group::r-x
> 	mask::r-x
> 	other::r-x
> 	
> 	# file: f2
> 	# owner: adm
> 	# group: sys
> 	user::r-x
> 	group::r-x
> 	other::r-x
> 	
> 	[root at house0 t]# 
> 
> As far as I can tell, this is somehow the result of the
> particular ACL state of f1.  If I tweak it slightly, all
> works as one would expect.  For example:
> 
>       [root at house0 t]# setfacl -m u:andrew:r-x f1
>       [root at house0 t]# getfacl f1 f2
>       # file: f1
>       # owner: adm
>       # group: sys
>       user::r-x
>       user:andrew:r-x
>       group::r-x
>       mask::r-x
>       other::r-x
>       
>       getfacl: f2: No such file or directory
>       [root at house0 t]# rsync -aA -v --itemize-changes f1 f2
>       sending incremental file list
>       >f+++++++++ f1
>       
>       sent 88 bytes  received 31 bytes  238.00 bytes/sec
>       total size is 0  speedup is 0.00
>       [root at house0 t]# getfacl f1 f2
>       # file: f1
>       # owner: adm
>       # group: sys
>       user::r-x
>       user:andrew:r-x
>       group::r-x
>       mask::r-x
>       other::r-x
>       
>       # file: f2
>       # owner: adm
>       # group: sys
>       user::r-x
>       user:andrew:r-x
>       group::r-x
>       mask::r-x
>       other::r-x

Ah.  Rsync seems to be dropping a mask entry when there are no named
user or group entries.  That's not an unreasonable thing to do on a
system that does not require a mask, and I think the idea was to avoid
receiving superfluous masks from a system that does require them.  I
guess one could still make the argument that the ACLs should be copied
exactly.

I found a bigger problem: rsync seems to use the mask permissions as the
group permissions, potentially granting undesired access.  To see this,
run the following:

setfacl -k .
umask 0077
touch srcfile
setfacl -m m::r-- srcfile
rsync -A srcfile destfile
getfacl srcfile destfile

I get these results (on Linux):

# file: srcfile
# owner: matt
# group: matt
user::rw-
group::---
mask::r--
other::---

# file: destfile
# owner: matt
# group: matt
user::rw-
group::r--
other::---

Fixing this in a way that works with all combinations of mask-requiring
and non-mask-requiring systems will take some care.  We discussed
similar issues a while ago:

http://lists.samba.org/archive/rsync/2006-October/016400.html

I'll have to reread that thread.

Matt

More information about the rsync mailing list