more on Solaris ACLs

Gerald Carter gcarter at
Tue May 29 10:27:05 GMT 2001

Michael Davidson wrote:
> You will notice that the code calls aclsort() immediately 
> before attempting to set the ACL - this validates the ACL 
> and sorts the entries into the correct order for the 
> system call.  Currently, the second parameter to
> aclsort() is 1 - this flag tells aclsort() to recalculate 
> the mask entry to be the union of the individual user 
> and group entries - the net result of this is that the 
> mask entry will often be more restrictive than rwx but
> should still permit any accesses which are allowed by 
> individual user and group entries.

I changed the calls to aclsort() so they would not recalc
the mask.

> Making aclsort() recalculate the mask entry was a 
> last-minute change that was made just before 2.2.0 was 
> released in order to fix a specific problem.


> A minimum POSIX ACL only has 3 entries with the 
> permissions for USER_OBJ, GROUP_OBJ and OTHER - a MASK 
> entry is allowed but not required.
> As it happens, it appears that the code in posix_acls.c 
> always adds  a mask entry and, last time I looked, it was 
> always set to rwx (although that may have changed).

No.  This is still the case.

> The problem is that UnixWare *requires* that a minimum 
> ACL include a MASK entry, but it also *requires* that if 
> there are no individual user or group entries, the 
> permisisons  in the MASK entry must be identical to the
> permissions in the group entry. This was a problem if 
> you tried to set an ACL which only had the basic 
> access permissions specified but the group
> permissons were not rwx ...

Ugghh...more ifdef'd code then I guess.  I need to test
the Solaris ACL's some more for simple u/g/o ACLs.

> Anyway, the quick fix for this was just to *always* 
> let aclsort() recalculate the mask entry - at the time 
> I couldn't see any harm in this, and I still can't but 
> it just *may* be relevant.

I'll let Jeremy respond whenhe gets back.  The problem is
that the mask must always be rwx in order to ensure the
permissions set for the group.  Suppose that you wanted
to set group 'A' to be rwx, but the mask was r-x.
The NT security tab has no notion of masks, but smbd 
cannot violate the actual permissions on a file/directory.
Therefore, what permissions you report to the user in the 
NT are not actually the ones the user gets.  And you have
**no** way to inform the user of what the real problem is.

That is why the mask must always be rwx.  

   /\  Gerald (Jerry) Carter                     Professional Services
 \/  VA Linux Systems   gcarter at       SAMBA Team          jerry at                     jerry at

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list