Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   Group permissions bits interfering with default ACL mask (http://www.linux-archive.org/gentoo-hardened/691232-group-permissions-bits-interfering-default-acl-mask.html)

Michael Orlitzky 08-06-2012 06:31 PM

Group permissions bits interfering with default ACL mask
 
Initially sent to gentoo-server, just remembered there are probably a
few ACL users here too.

-------- Original Message --------

I have a directory (drupal modules directory) where developers regularly
untar (or cp) archives. The contents should be rwx for the 'developers'
group, so that some other developer can update or remove the module later.

I've set default ACLs on the parent directory, and the regular default
ACLs are applied but the default mask is not. This is because tar/cp
preserve the original group permission bits -- a strategy that doesn't
make sense under a directory with default ACLs.

For an example, I'll copy /etc/profile (mode: 0644) into a directory
whose contents should be rwx to the 'apache' user via its default ACL.

gantu acl $ getfacl .
# file: .
# owner: mjo
# group: mjo
user::rwx
group::---
other::---
default:user::rwx
default:user:apache:rwx
default:group::---
default:mask::rwx
default:other::---

gantu acl $ cp /etc/profile ./
gantu acl $ getfacl profile
# file: profile
# owner: mjo
# group: mjo
user::rw-
user:apache:rwx #effective:r--
group::---
mask::r--
other::---

So, even though the directory has default:mask::rwx, newly-created files
have mask::r--. I've been searching for a while and others have run into
this problem; so far, I don't see any good solutions. Does anything come
to mind?

Initially I thought I could set developers' umasks appropriately;
however, both tar and cp ignore the umask (even with
--no-preserve=mode!) and use the source permission bits anyway.

Michael Orlitzky 08-12-2012 11:35 PM

Group permissions bits interfering with default ACL mask
 
On 08/06/2012 02:31 PM, Michael Orlitzky wrote:
>
> I have a directory (drupal modules directory) where developers regularly
> untar (or cp) archives. The contents should be rwx for the 'developers'
> group, so that some other developer can update or remove the module later.
>
> I've set default ACLs on the parent directory, and the regular default
> ACLs are applied but the default mask is not. This is because tar/cp
> preserve the original group permission bits -- a strategy that doesn't
> make sense under a directory with default ACLs.
>

I wrote a function reapply_default_acl() which will apply foo's default
ACL to foo/bar when called like reapply_default_acl("foo/bar").

It still retains the original execute bits, though, unless the default
ACL states that we shouldn't.

http://michael.orlitzky.com/git/?p=aclq.git

I've patched a modification of this into coreutils to get at least cp
and mkdir working. Does this sound at all sane?


All times are GMT. The time now is 07:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.