misc/110915: ACL's don't work with SUIDDIR

Cédric Jonas cedric at decemplex.net
Tue Mar 27 10:50:05 UTC 2007 

>Number:         110915
>Category:       misc
>Synopsis:       ACL's don't work with SUIDDIR
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 27 10:50:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Cédric Jonas
>Release:        FreeBSD 6.2-RELEASE
>Organization:
>Environment:
FreeBSD project.decemplex.net 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #1: Wed Mar 21 16:20:37 CET 2007     cedric at nyx.decemplex.net:/usr/obj/usr/src/sys/NYX  i386
>Description:
I'm using FreeBSD 6.2-RELEASE, with suiddir set as option in kernel
config and fstab (+ acl support).
My goal is to have a directory (precisely a SVN repo) writable by X
specific users, where all created/modified files remain owned by svn.

I tried following:

	drwx------  7 svn  users  512 21 Mär 17:30 braintrust
	=> user thomas CANT'T write in braintrust  

	setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx braintrust/
	drwx------  7 svn  users  512 21 Mär 17:31 braintrust
	=> user thomas CAN'T write in braintrust - but he got an  
	   default ACL that will apply on all created files in
	   braintrust

	setfacl -m u:thomas:rwx braintrust/
	drwxrwx---+ 7 svn  users  512 21 Mär 17:34 braintrust
	=> user thomas CAN write in braintrust - and all created files  
	   in braintrust got the default ACL

	chmod +s braintrust/
	drwsrws---+ 7 svn  users  512 21 Mär 17:35 braintrust
	=> braintrust get the suidbit/sgidbit, and all files created by  
	   thomas in braintrust should be owned by svn|users
	   BUT: after +s, user thomas CAN'T write anymore in
	   braintrust, the error is not "Permission denied", but
	   "Operation not permitted". However, he can read the
	   directory content. If I do the same with a directory that
	   hasn't ACL's, it works as expected...

If I understand the manpages correctly, this isn't the correct
behavior, but a bug.

The problem isn't unknown: 
http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011786.html
http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011797.html

And I post it also on the mailing list:
http://lists.freebsd.org/pipermail/freebsd-fs/2007-March/002811.html

I'm available if help is needed.
>How-To-Repeat:
A kernel with UFS_ACL and SUIDDIR support is needed. Also, the file system must be mounted with both options.

cd /tmp
mkdir testDir
chmod u=rwx,g=,o= testDir
chown svn:users testDir
setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx testDir/
setfacl -m u:thomas:rwx testDir/
As user thomas: touch testDir/testFile1
chmod +s testDir/
As user thomas: touch testDir/testFile2

Replace usernames with yours, but don't use root as testDir owner, it must be a different user.
>Fix:
No known fix.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list