5.1-R acl problem (again)

Sat Aug 9 11:28:13 PDT 2003

Hi

Today i added new disk partition to my 5.1-release box. I want to use ACLs, which are enabled in kernel, they work partialy. They work on a single directory or file, but they don't even apply to file/directory, when i try to set so called default ACL entry.

I attached my kernel config file. Additionally, i've got loaded openbsd pf module (firewall).

Any help would be very appreciated.

Brane

Command sequence was:

# newfs -O 2 -L export -U -m 0 -o space /dev/ad0s2d
... lots of numbers ...

# tunefs -a enable /dev/ad0s2d
tunefs: ACLs set

# mount /dev/ad0s2d /export

# mount | grep /export
/dev/ad0s2d on /export (ufs, local, soft-updates, acls)

Now i create directory /export/a. I want to be owned by root:wheel, others will no have any access at all and i want that user branko will have rw access to it.

# mkdir a

# getfacl a
#file:a
#owner:0
#group:0
user::rwx
group::r-x
other::r-x

# setfacl -m u::rwx,g::rx,o::---,u:branko:rwx a

# getfacl a
#file:a
#owner:0
#group:0
user::rwx
user:branko:rwx
group::r-x
mask::rwx
other::---

(testing as branko - works okay)

Now, if root creates some files (od dirs) in 'a', owner of that file will be root and only standard unix triple acl will be assigned, so that user branko will not be able to access that file read/write. 

Well, it seems, that default directory acl need to be set to achive above goal.

# setfacl -b a

# setfacl -dm u::rwx,g::rwx,o::--,u:branko:rwx a

# getfacl a
#file:a
#owner:0
#group:0
user::rwx
group::r-x
mask::r-x
other::---

WHOOPS, where is user branko?! Why group's acls was not altered from 'r-x' to 'rwx' ?!

Ofcourse, trying to access directory 'a' as branko doesn't succeed.
-------------- next part --------------
machine         i386
cpu             I686_CPU
ident           FROST

options         SCHED_4BSD              #4BSD scheduler
options         INET                    #InterNETworking
options         INET6                   #IPv6 communications protocols
options         FFS                     #Berkeley Fast Filesystem
options         SOFTUPDATES             #Enable FFS soft updates support
options         UFS_ACL                 #Support for access control lists
options         UFS_DIRHASH             #Improve performance on big directories
options         NFSCLIENT               #Network Filesystem Client
options         NFSSERVER               #Network Filesystem Server
options         NULLFS
options         PROCFS                  #Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                #Pseudo-filesystem framework
options         COMPAT_43               #Compatible with BSD 4.3 [KEEP THIS!]
options         COMPAT_FREEBSD4         #Compatible with FreeBSD4
options         KTRACE                  #ktrace(1) support
options         SYSVSHM                 #SYSV-style shared memory
options         SYSVMSG                 #SYSV-style message queues
options         SYSVSEM                 #SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions

device          isa
device          pci

# Floppy drives
device          fdc

# ATA and ATAPI devices
device          ata
device          atadisk                 # ATA disk drives
device          atapicd                 # ATAPI CDROM drives
options         ATA_STATIC_ID           #Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          vga             # VGA video card driver

device          splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc

# Floating point support - do not disable.
device          npx

# Power management support (see NOTES for more options)
device          apm
device          acpi
# Add suspend/resume support for the i8254.
device          pmtimer

# Serial (COM) ports
device          sio             # 8250, 16[45]50 based serial ports

# Parallel port
device          ppc
device          ppbus           # Parallel port bus (required)
device          lpt             # Printer
device          ppi             # Parallel port interface device

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          dc              # DEC/Intel 21143 and various workalikes
device          ed              # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device          rl              # RealTek

# Pseudo devices - the number indicates how many units to allocate.
device          random          # Entropy device
device          loop            # Network loopback
device          ether           # Ethernet support
device          ppp             # Kernel PPP
device          pty             # Pseudo-ttys (telnet etc)
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 relaying (translation)
device          tun

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device          bpf             # Berkeley packet filter

# USB support
device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          usb             # USB Bus (required)
device          ugen            # Generic
device          ulpt            # Printer

# ipsec
options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG

# pppoe
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_PPPOE
options         NETGRAPH_SOCKET

# ppp
options         PPP_BSDCOMP
options         PPP_DEFLATE
options         PPP_FILTER

# linux
options         COMPAT_LINUX

# PF
options         PFIL_HOOKS
options         RANDOM_IP_ID