default acl's permissions problem [continuation?]

Mark G. mark-fbsd-quest-01 at giovannetti.ca
Sat Jun 18 07:02:34 GMT 2005 

Nathanael Jean-Francois wrote:
> Hi all,
> I've run into the little snag with default acl
> permissions, the issue was brought up in this thread
> http://marc.theaimsgroup.com/?l=freebsd-questions&m=111118504532207&w=2
> but there was no reply to it and my digging so far
> hasn't turned up anything substantial. If anyone knows
> of a solution for this please let me know. Thanks
> 
> -Nathanael
> 

Hello,

I don't understand the acl and mask support for defaults.

But I have found a way to make them work as I *think*
they should.

Here is an example similar to the one in the link you provided.

# mount
/dev/ad2s1h on /home (ufs, local, soft-updates, acls)

# cd /home
# mkdir cvsroot
# chown cvs:cvs cvsroot
# chmod 2770 cvsroot

# ls -la
drwxrws---   2 cvs      cvs        512 Jun 17 23:46 cvsroot/

# umask
22
# touch cvsroot/te
# ls -la cvsroot/te
-rw-r--r--  1 root  cvs  0 Jun 17 23:48 cvsroot/te

# umask 0007         <----- this turns out to be the solution.
# touch cvsroot/tes
# ls -la cvsroot/tes
-rw-rw----  1 root  cvs  0 Jun 18 02:00 cvsroot/tes


Now for the acls part.

# setfacl -d -m u::rwx,m::rwx,g::rwx,o::--- cvsroot/
# getfacl -d cvsroot/
#file:cvsroot/
#owner:1012
#group:1012
user::rwx
group::rwx
mask::rwx
other::---

Ok, so far so good.

# touch cvsroot/test
# getfacl cvsroot/test
#file:cvsroot/test
#owner:0
#group:1012
user::rw-
group::rwx              # effective: rw-
mask::rw-
other::---

Hmmm. Ok, so it didn't make it executable. A good thing.

Add some groups to the default acl on cvsroot/

# setfacl -d -m g:cvsuser:r-x,g:cvsadmin:rwx cvsroot/
# getfacl -d cvsroot/
#file:cvsroot/
#owner:1012
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---

Now the acl entries on cvsroot/ itself:

# setfacl -m g:cvsuser:r-x,g:cvsadmin:rwx cvsroot/
# getfacl cvsroot/
#file:cvsroot/
#owner:1012
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---


What I Want

1. All new files created to be read for cvsuser.
2. New directories to be read/exec for cvsuser.

3. All files created to be read/write for cvsadmin.
4. New directories to be read/write/exec for cvsadmin.

5. The defaults will propagate down the tree so that sub-sub
directories inherit the same permissions.

6. The user and group cvs has full control.
7. Any other users have no permissions.

What I Get

# mkdir cvsroot/dir1
# touch cvsroot/file1
# ls -lad cvsroot/*
drwxrwx---+ 2 root  cvs  512 Jun 18 02:19 cvsroot/dir1/
-rw-rw----+ 1 root  cvs    0 Jun 18 02:19 cvsroot/file1

Looks OK from that angle. Items 6 and 7 are satisfied.

# getfacl cvsroot/*
#file:cvsroot/dir1
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---

Good. Items 2 and 4 are satisfied.

#file:cvsroot/file1
#owner:0
#group:1012
user::rw-
group::rwx              # effective: rw-
group:cvsuser:r-x               # effective: r--
group:cvsadmin:rwx              # effective: rw-
mask::rw-
other::---

Better. Items 1 and 3 are satisfied.

Finally:
# getfacl -d cvsroot/dir1
#file:cvsroot/dir1
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---

# touch cvsroot/dir1/file2
# mkdir cvsroot/dir1/dir2
# ls -lad cvsroot/dir1/*
drwxrwx---+ 2 root  cvs  512 Jun 18 02:26 cvsroot/dir1/dir2/
-rw-rw----+ 1 root  cvs    0 Jun 18 02:26 cvsroot/dir1/file2

# getfacl -d cvsroot/dir1/dir2/
#file:cvsroot/dir1/dir2/
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---

# getfacl cvsroot/dir1/dir2/
#file:cvsroot/dir1/dir2/
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---

# getfacl cvsroot/dir1/file2
#file:cvsroot/dir1/file2
#owner:0
#group:1012
user::rw-
group::rwx              # effective: rw-
group:cvsuser:r-x               # effective: r--
group:cvsadmin:rwx              # effective: rw-
mask::rw-
other::---

Excellent. Item 5 is satisfied. Those are all my requirements.

This entire discovery process, although nice and tidy above,
was filled with a certain amount of grief. It was only until
I reset the umask to 0007 that things started to work as
expected.

Now this bothers me for two reasons. I don't want my umask
to have to be 0007. What if I'm in a working directory that
doesn't require propagating acls? Then I'm stuck setting my
umask back to something sensible like 0027 before creating
files without extended acl entries. I have a difficult time
remembering little details like that.

Not only that, but I'll have to remember to set it back to
0007 (or maybe 0000, horrors) if I want to use propagating
acls and have them behave as I expect as shown above.

I can easily set a process' umask through cron et al, but how
do I set it for cvs users using the protocol :ext:server:/home/cvsroot
with ssh?

Can anyone explain this further? Thanks.

Mark

P.S. Below is the behaviour that perplexed me earlier.
It is not what I expect and does not meet my requirements 1-7
above. I consider the application of the, shall we say, old
umask context to the new acl context to be a design error of
sorts. User mv and group cvsadmin are supposed to have write
access to new files and directories.

# umask
22
# mkdir dir1
# ls -la dir1
total 4
drwxr-xr-x   2 root  wheel  512 Jun 18 02:43 ./
drwxr-xr-x  14 root  wheel  512 Jun 18 02:43 ../

# setfacl -d -m u::rwx,m::rwx,g::r-x,o::--- dir1
# setfacl  -m u::rwx,m::rwx,g::r-x,o::--- dir1

# getfacl dir1
#file:dir1
#owner:0
#group:0
user::rwx
group::r-x
mask::rwx
other::---

# getfacl -d dir1
#file:dir1
#owner:0
#group:0
user::rwx
group::r-x
mask::rwx
other::---

# setfacl -d -m u:mv:-w-,g:cvsadmin:rwx dir1
# setfacl  -m u:mv:-w-,g:cvsadmin:rwx dir1

# getfacl dir1
#file:dir1
#owner:0
#group:0
user::rwx
user:mv:-w-
group::r-x
group:cvsadmin:rwx
mask::rwx
other::---

# getfacl -d dir1
#file:dir1
#owner:0
#group:0
user::rwx
user:mv:-w-
group::r-x
group:cvsadmin:rwx
mask::rwx
other::---

# touch dir1/file1
# mkdir dir1/dir2

# getfacl dir1/*
#file:dir1/dir2
#owner:0
#group:0
user::rwx
user:mv:-w-             # effective: ---
group::r-x
group:cvsadmin:rwx              # effective: r-x
mask::r-x
other::---

#file:dir1/file1
#owner:0
#group:0
user::rw-
user:mv:-w-             # effective: ---
group::r-x              # effective: r--
group:cvsadmin:rwx              # effective: r--
mask::r--
other::---

Finally, for clarity, the following does meet the requirements:
# umask 0007
# touch dir1/file2
# mkdir dir1/dir3

# getfacl dir1/*
#file:dir1/dir3
#owner:0
#group:0
user::rwx
user:mv:-w-
group::r-x
group:cvsadmin:rwx
mask::rwx
other::---

#file:dir1/file2
#owner:0
#group:0
user::rw-
user:mv:-w-
group::r-x              # effective: r--
group:cvsadmin:rwx              # effective: rw-
mask::rw-
other::---

More information about the freebsd-questions mailing list