userland acl_valid() wierdness

Robert Watson rwatson at FreeBSD.org
Sun Jul 13 16:20:53 UTC 2008 

On Sat, 28 Jun 2008, Iustin Pop wrote:

> While trying to improve the python bindings for acls on 7.0-release, I came 
> up upon something that seems strange to me.
>
> Basically, an acl that contains an ACL_USER or ACL_GROUP entry with the 
> qualifier the same as the current user or group(s?) is declared invalid by 
> the userland, although this in my understanding of the specs is not 
> prohibited anywhere, and to me it doesn't make sense (an ACL should protect 
> from changes in the ownership of the file, for example).
>
> Furthermore, the kernel has completely different checks, although the 
> comments in lib/libc/posix1e/acl_support.c say: * _posix1e_acl_check -- 
> given an ACL, check its validity.  This is * mirrored from code in 
> sys/kern/kern_acl.c, and if changes are made in * one, they should be made 
> in the other also.
>
> What the kernel does is simply to set the qualifier for ACL_USER_OBJ and 
> ACL_GROUP_OBJ to ACL_UNDEFINED_ID, which seems sane, and then it checks the 
> qualifier for ACL_USER to be not equal to UNDEFINED_ID, which is much more 
> reasonable than the userspace code.
>
> Do I misunderstand here the usage?

Dear Iustin:

Sorry about the long delay in replying.  I've reviewed POSIX.1e and concur 
that there's nothing in the spec that seems to prohibit having an ACL_GROUP or 
ACL_USER entry with a qualifier that matches the file group or file owner. 
And, in fact, you can construct such a case now on FreeBSD, despite the 
validity check, by first setting the ACL and then chowning the file to the 
desired user or group matching an existing entry in the ACL.  Looking at the 
library code, this is indeed a problem, and I'll take a look at fixing this 
shortly.  Is there any chance I could get you to submit a PR on this problem, 
then forward me the PR receipt so I can grab ownership of it?

Thanks,

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> Sample program:
> #include <sys/types.h>
> #include <sys/acl.h>
> #include <stdio.h>
> #include <unistd.h>
> #include <sys/types.h>
>
> int main() {
>        acl_t ma;
>        acl_entry_t e;
>        uid_t user=getuid();
>
>        ma = acl_from_text("u::rw,g::r,o::-");
>        if(ma==NULL)
>                perror("acl_from_text");
>        if(acl_valid(ma)==-1)
>                perror("initial acl is not valid");
>        if(acl_create_entry(&ma, &e)==-1)
>                perror("acl_create_entry");
>        if(acl_set_tag_type(e, ACL_USER)==-1)
>                perror("acl_set_tag_type");
>        if(acl_set_qualifier(e, &user)==-1)
>                perror("acl_set_qualifier");
>        if(acl_calc_mask(&ma)==-1)
>                perror("acl_calc_mask");
>        if(acl_valid(ma)==-1)
>                perror("modified acl is not valid");
> }
>
> in this example, the acl_calc_mask and acl_valid will fail unless the
> getuid() is changed to getuid()+1.
>
> thanks,
> iustin
> _______________________________________________
> posix1e at FreeBSD.org mailing list
> http://lists.freebsd.org/mailman/listinfo/posix1e
> To unsubscribe, send any mail to "posix1e-unsubscribe at FreeBSD.org"
>

More information about the posix1e mailing list