| View previous topic :: View next topic |
| Author |
Message |
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
 Posted: Tue Jan 10, 2006 11:48 pm Post subject: [Solved] ACL permissions while copying |
 |
|
Hi
So, right now I'm setting up a Linux box for a family I know, and I'm having some difficulties understanding the ACL permission system. What I'm trying to accomplish: create a directory which inherits the default acl permissions for files that are copied to the target directory.
I've managed to make files and directories that are created in the directory inherit the acl permissions as they should, but when I copy a file or directory the mask isn't set to it's default value, even though I have set the default mask with setfacl
An effort to try to explain what I've been doing:
First, I set the default ACL:
| Code: | $ mkdir foo
$ setacl -d --set u::rwx,g:test-group:rwx,o::- foo
$ getfacl foo
# file: foo
# owner: ingemar
# group: test-group
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:test-group:rwx
default:mask::rwx
default:other::--- |
Right. That works. And files and directories that are created under the foo directory inherits these permissions as they should. But when I copy a file to foo, and checks the permissions on that file/directory with gefacl, as another user, I get this result:
| Code: | $ getfacl foo/bar/
# file: foo/bar/
# owner: ingemar
# group: test-group
user::rwx
group::rwx #effective:r-x
group:test-group:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::rwx
default:group:test-group:rwx
default:mask::rwx
default:other::--- |
As you can see here, the mask on the directory limits the other user to have the permissions that I want him/her to have.
What am I doing wrong? (Or perhaps, not doing at all?)
_________________
iBook G4 12" & AMD X2 4200+
Last edited by ingemar on Tue Jan 17, 2006 4:35 pm; edited 1 time in total |
|
| Back to top |
|
 |
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
| Posted: Thu Jan 12, 2006 11:15 am Post subject: |
|
|
Bump...
_________________
iBook G4 12" & AMD X2 4200+ |
|
| Back to top |
|
|
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
| Posted: Fri Jan 13, 2006 4:55 pm Post subject: |
|
|
Bump. Again.
_________________
iBook G4 12" & AMD X2 4200+ |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Sat Jan 14, 2006 12:50 am Post subject: |
|
|
It's expected behaviour.
To be compatible with applications/kernels which are not supporting extended ACLs and for not undermining the security of existing files without ACL entries, the group class permissions are mapped to the mask entry of the extended ACL which filters all named entries.
Thus when you copying or moving files to a directory where they get an extended ACL with named entries, the existing group permission of the source file will be mapped to the mask entry of the target file which limits / filters the permissions granted by any entry for named user, named group, owning group.
The default ACL of a parent directory is more or less a replacement of the umask setting when creating new file system objects.
Hope that helps.  |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sat Jan 14, 2006 4:15 pm Post subject: |
|
|
I guess what you want to do is something like this:
| Code: |
setfacl -R -dm g:test-group:rwx foo
setfacl -R -m g:test-group:rwx foo
|
You can restore the default usre/group/other permissions by issuing
Hth, Alex!!
_________________
ALT-F4 |
|
| Back to top |
|
|
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
| Posted: Sun Jan 15, 2006 1:52 pm Post subject: |
|
|
So I guess that you are saying there is no way to set a default ACL for files that are copied to a directory with the default ACL set, right?
If I have to run | Code: |
setfacl -R -dm g:test-group:rwx foo
setfacl -R -m g:test-group:rwx foo
|
every time I copy something to foo, I could just do instead (if I have done chmod g+s foo earlier)?
But it seems a bit odd that this could not be done... Are you guys sure?
_________________
iBook G4 12" & AMD X2 4200+ |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sun Jan 15, 2006 3:44 pm Post subject: |
|
|
The "setfacl -dm" line sets set default permissions, hence the -d. Any file you copy to foo inherits these rights...
Just try it out.
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
| Posted: Sun Jan 15, 2006 9:44 pm Post subject: |
|
|
I did that, but It didn't work. I'm copying the file to the directory, so the mask still gets in the way.
If you take a look at he code box in my first post you can see that I had the -d option enabled. This works for creating files inside the foo directory, but not copying to it.
_________________
iBook G4 12" & AMD X2 4200+ |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Mon Jan 16, 2006 5:35 pm Post subject: |
|
|
I still believe that it's expected behaviour. Why ?
(As CONFIG_EXT3_FS_POSIX_ACL is not set in my current kernel config, I could not test or verify it by myself, sorry.  )
But let us look at different locations in the documentation.
| man cp wrote: | The modes of the files and directories created will be the same as those of the
original files, ANDed by 0777, and modified by the user's umask (unless the -p
option was specified). [..]
When copying to a new file it is created using
`open(path, O_WRONLY | O_CREAT, mode)'.
|
| man acl wrote: | CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS
The permissions defined by ACLs are a superset of the permissions specified
by the file permission bits. [..]
The permissions defined for the file group correspond to the permissions of the
ACL_GROUP_OBJ entry, if the ACL has no ACL_MASK entry. If the ACL has an
ACL_MASK entry, then the permissions defined for the file group corre-
spond to the permissions of the ACL_MASK entry. [..]
Modification of the file permission bits results in the modification of
the permissions in the associated ACL entries. |
| man acl wrote: | OBJECT CREATION AND DEFAULT ACLs
[..]
If a default ACL is associated with a directory, the mode parameter to
the functions creating file objects and the default ACL of the directory
are used to determine the ACL of the new object:
1. The new object inherits the default ACL of the containing directory
as its access ACL.
2. The access ACL entries corresponding to the file permission bits are
modified so that they contain no permissions that are not contained
in the permissions specified by the mode parameter. |
Now bringing these pieces together:
cp creates a new object for the target. The new object inherits the default ACL as its access ACL. cp uses a mode parameter corresponding to the original file in the function call for creating the new file. The access ACL entries corresponding to the file permission bits are modified according to the permission bits of the original file. ACL_MASK corresponds to the group permission. If the group permission for the original file was set to r-x, the new file has an ACL_MASK r-x. The ACL_MASK filters all named users and all named groups. If the group permissions were set to rwx, you would have get a mask rwx.
This behaviour is analogous/consistent to the traditional system with owner/group/others and mode/umask.
As I said before, I could not present an evidence, but for me the behaviour looks logical.
So what can you do to accomplish your goal without to much typing?
A little shell script or an alias comes to mind. If you want to set always the same file mode, you can use install instead of cp. If you want to change only group permissions and want the owner permissions and the other (world) permissions unchanged, the install command is not applicable, because it sets all undefined permissions in the mode option to deny contrary to chmod though the syntax for the mode option is similar. (This is at least true for the versions I am using). |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Mon Jan 16, 2006 6:55 pm Post subject: |
|
|
I admit, I was wrong, as I found out today, sorry... and I agree with kadeux on the logic of Linux ACLs. However, now I too have to ask: is it impossible to get Windows-like ACL inheritage with Linux ACLs at all?
I'll investigate this further tomorrow and keep you posted.
alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
| Posted: Mon Jan 16, 2006 9:33 pm Post subject: |
|
|
I can agree on what you are saying. It is a expected behaviour. But there must be a way to achieve the goal I want, right? Sure, a small shell script might do it, but thats a ugly way to do it, if you ask me =)
Since the users that will be running the computer has quite low knowledge about Linux and using terminal commands for copying files to a directory, they will only use a simple GUI (For example Nautilus or Konqueror).
So i guess the question now is, as tuxmin says: Is it impossible to get Windows-like ACL inheritage with Linux ACLs at all? And if not, what workarounds are possible?
_________________
iBook G4 12" & AMD X2 4200+ |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Tue Jan 17, 2006 12:39 am Post subject: |
|
|
Oh, I have thought that you as the administrator initially copies files to a directory hierarchy and your users are only allowed to create and copy files in that hierarchy. But now I think you want to use it as a share for all family members and outside of this directory hierarchy the users are using the traditional access control system.
In this case you might consider to create a different default group for every user that has the same name as the user and change the umask for every user to 007. (Of course, a user could simply change the umask value).
So a user named barney got a default group barney with barney as the only group member. If barney creates a document called barneystext, it gets the file permissions: rwxrwx---, owner: barney, group: barney. If barney copy this file to the directory family+friends that has a default ACL, it inherits the ACL, and the ACL_MASK will allow all settings for the named ACL entries because the mask entry is set to rwx according to the group permission of the original file. If the default ACL grants the permission rwx to wilma and r-- to fred, these settings will take effect.
You have to check the utilities used for manipulating files (editors, file managers, backup programs) if they preserve the ACL settings. If an editor for instance creates a temporary file when you want to edit the original file, and then saves the temporary file when you save your work, delete the original file and rename the temporary file to the name of the original file, your ACL settings will be lost if the editor itself did not take care to preserve ACL settings. (Notice the acl USE flag in gentoo).
If you need even more granularity, security, hardening, you might consider to look at RSBAC in the Hardened Gentoo project. |
|
| Back to top |
|
|
ingemar
Tux's lil' helper
Joined: 21 May 2005
Posts: 83
Location: Gothenburg, Sweden
|
| Posted: Tue Jan 17, 2006 4:35 pm Post subject: |
|
|
Yay! After some thinking and reading what you wrote a few times over and over I've finally got it. I did as you described and things works as it should do now. I guess this is a bit of a workaround, but the drawbacks are probably few. I can't come up with any right now, but time will tell how things works out. Thanks!
_________________
iBook G4 12" & AMD X2 4200+ |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
