misc/110915: ACL's don't work with SUIDDIR
Cédric Jonas
cedric at decemplex.net
Tue Mar 27 10:50:05 UTC 2007
>Number: 110915
>Category: misc
>Synopsis: ACL's don't work with SUIDDIR
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 27 10:50:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Cédric Jonas
>Release: FreeBSD 6.2-RELEASE
>Organization:
>Environment:
FreeBSD project.decemplex.net 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #1: Wed Mar 21 16:20:37 CET 2007 cedric at nyx.decemplex.net:/usr/obj/usr/src/sys/NYX i386
>Description:
I'm using FreeBSD 6.2-RELEASE, with suiddir set as option in kernel
config and fstab (+ acl support).
My goal is to have a directory (precisely a SVN repo) writable by X
specific users, where all created/modified files remain owned by svn.
I tried following:
drwx------ 7 svn users 512 21 Mär 17:30 braintrust
=> user thomas CANT'T write in braintrust
setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx braintrust/
drwx------ 7 svn users 512 21 Mär 17:31 braintrust
=> user thomas CAN'T write in braintrust - but he got an
default ACL that will apply on all created files in
braintrust
setfacl -m u:thomas:rwx braintrust/
drwxrwx---+ 7 svn users 512 21 Mär 17:34 braintrust
=> user thomas CAN write in braintrust - and all created files
in braintrust got the default ACL
chmod +s braintrust/
drwsrws---+ 7 svn users 512 21 Mär 17:35 braintrust
=> braintrust get the suidbit/sgidbit, and all files created by
thomas in braintrust should be owned by svn|users
BUT: after +s, user thomas CAN'T write anymore in
braintrust, the error is not "Permission denied", but
"Operation not permitted". However, he can read the
directory content. If I do the same with a directory that
hasn't ACL's, it works as expected...
If I understand the manpages correctly, this isn't the correct
behavior, but a bug.
The problem isn't unknown:
http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011786.html
http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011797.html
And I post it also on the mailing list:
http://lists.freebsd.org/pipermail/freebsd-fs/2007-March/002811.html
I'm available if help is needed.
>How-To-Repeat:
A kernel with UFS_ACL and SUIDDIR support is needed. Also, the file system must be mounted with both options.
cd /tmp
mkdir testDir
chmod u=rwx,g=,o= testDir
chown svn:users testDir
setfacl -d -m u::rwx,g::---,o::---,u:thomas:rwx testDir/
setfacl -m u:thomas:rwx testDir/
As user thomas: touch testDir/testFile1
chmod +s testDir/
As user thomas: touch testDir/testFile2
Replace usernames with yours, but don't use root as testDir owner, it must be a different user.
>Fix:
No known fix.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list