FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 08-06-2012, 06:31 PM
Michael Orlitzky
 
Default Group permissions bits interfering with default ACL mask

Initially sent to gentoo-server, just remembered there are probably a
few ACL users here too.

-------- Original Message --------

I have a directory (drupal modules directory) where developers regularly
untar (or cp) archives. The contents should be rwx for the 'developers'
group, so that some other developer can update or remove the module later.

I've set default ACLs on the parent directory, and the regular default
ACLs are applied but the default mask is not. This is because tar/cp
preserve the original group permission bits -- a strategy that doesn't
make sense under a directory with default ACLs.

For an example, I'll copy /etc/profile (mode: 0644) into a directory
whose contents should be rwx to the 'apache' user via its default ACL.

gantu acl $ getfacl .
# file: .
# owner: mjo
# group: mjo
user::rwx
group::---
other::---
default:user::rwx
default:user:apache:rwx
default:group::---
default:mask::rwx
defaultther::---

gantu acl $ cp /etc/profile ./
gantu acl $ getfacl profile
# file: profile
# owner: mjo
# group: mjo
user::rw-
user:apache:rwx #effective:r--
group::---
mask::r--
other::---

So, even though the directory has default:mask::rwx, newly-created files
have mask::r--. I've been searching for a while and others have run into
this problem; so far, I don't see any good solutions. Does anything come
to mind?

Initially I thought I could set developers' umasks appropriately;
however, both tar and cp ignore the umask (even with
--no-preserve=mode!) and use the source permission bits anyway.
 
Old 08-12-2012, 11:35 PM
Michael Orlitzky
 
Default Group permissions bits interfering with default ACL mask

On 08/06/2012 02:31 PM, Michael Orlitzky wrote:
>
> I have a directory (drupal modules directory) where developers regularly
> untar (or cp) archives. The contents should be rwx for the 'developers'
> group, so that some other developer can update or remove the module later.
>
> I've set default ACLs on the parent directory, and the regular default
> ACLs are applied but the default mask is not. This is because tar/cp
> preserve the original group permission bits -- a strategy that doesn't
> make sense under a directory with default ACLs.
>

I wrote a function reapply_default_acl() which will apply foo's default
ACL to foo/bar when called like reapply_default_acl("foo/bar").

It still retains the original execute bits, though, unless the default
ACL states that we shouldn't.

http://michael.orlitzky.com/git/?p=aclq.git

I've patched a modification of this into coreutils to get at least cp
and mkdir working. Does this sound at all sane?
 

Thread Tools




All times are GMT. The time now is 10:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org