more on Solaris ACLs

Michael Davidson michael_davidson at pacbell.net
Fri May 25 17:05:10 GMT 2001


> OK.  Here's what is going on...
> 
> 
> in posix_acls.c:create_canon_ace_lists() around line 752,
> we only add to the dir_ace_list if 
> 
> (psa->flags & SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)
> 
> In the acl I'm seeing the psa->flags is only set to 0x2
> (SEC_ACE_FLAG_CONTAINER_INHERIT) so no ace's are added to dir_ace.
> Therefore the only entries ever added to dir_ace ar ethe ones to ensure
> that the acl is valid (DEF_GROUP_OBJ, etc...) which is why the
> default named group perms are getting removed...
> 
> Am looking into the mask and default:mask settings now as to why they are
> not getting set to rwx.
> 

I'm not sure if this is relevant or not, but I'm a little worried about
whether the Solaris code in sysacls.c really does the right thing with
the mask entries.

You will notice that the code calls aclsort() immediately before attempting
to set the ACL - this validates the ACL and sorts the entries into the
correct order for the system call.  Currently, the second parameter to 
aclsort() is 1 - this flag tells aclsort() to recalculate the mask entry
to be the union of the individual user and group entries - the net result
of this is that the mask entry will often be more restrictive than rwx but
should still permit any accesses which are allowed by individual user and
group entries.

Making aclsort() recalculate the mask entry was a last-minute change that
was made just before 2.2.0 was released in order to fix a specific problem.

A minimum POSIX ACL only has 3 entries with the permissions for USER_OBJ,
GROUP_OBJ and OTHER - a MASK entry is allowed but not required.

As it happens, it appears that the code in posix_acls.c always adds a mask
entry and, last time I looked, it was always set to rwx (although that may
have changed).

The problem is that UnixWare *requires* that a minimum ACL include a MASK
entry, but it also *requires* that if there are no individual user or
group entries, the permisisons in the MASK entry must be identical to the
permissions in the group entry. This was a problem if you tried to set an
ACL which only had the basic access permissions specified but the group
permissons were not rwx ...

Anyway, the quick fix for this was just to *always* let aclsort()
recalculate the mask entry - at the time I couldn't see any harm
in this, and I still can't but it just *may* be relevant.


md




More information about the samba-technical mailing list