ACLs are not reflected in FS extended attributes

Chris bsd-lists at bsdforge.com
Tue Apr 27 17:20:35 UTC 2021 

On 2021-04-27 01:41, Gleb Popov wrote:
> Hello hackers.
> 
> I'm trying to implement Linux acl_extended_file() function [1] within our
> libc. On Linux this function is implemented via getxattr, a function that
> reads extended attributes from the file [2][3]
> 
> My implementation follows the Linux one:
> 
> 
> int
> acl_extended_file_np(const char *path_p)
> {
> return _acl_extended_file(extattr_get_file, path_p);
> }
> 
> int _acl_extended_file(getattr_func f, const char* path_p)
> {
> int base_size = 9999; // figure out this later
> int retval;
> 
> retval = f(path_p, POSIX1E_ACL_ACCESS_EXTATTR_NAMESPACE,
> POSIX1E_ACL_ACCESS_EXTATTR_NAME, NULL, 0);
> printf("Retval1: %d\n", retval);
> if (retval < 0 && errno != ENOATTR)
>   return -1;
> if (retval > base_size)
>   return 1;
> retval = f(path_p, POSIX1E_ACL_DEFAULT_EXTATTR_NAMESPACE,
> POSIX1E_ACL_DEFAULT_EXTATTR_NAME, NULL, 0);
> printf("Retval2: %d\n", retval);
> if (retval < 0 && errno != ENOATTR)
>   return -1;
> if (retval > base_size)
>   return 1;
> return 0;
> }
> 
> 
> However, when I tried to use it, I stumbled upon following differences:
> 
> - It requires root permissions to operate. I guess this is because it tries
> to look at "system" extattr namespace.
> - It doesn't work anyways due to "Attribute not found" error.
> 
> And indeed, the same behavior can be seen when using command line tools.
> On Linux:
> $ setfacl -m u:someuser:rwx somefile
> $ getfattr -d -m - somefile
> system.posix_acl_access=<mangled ACL data>
> 
> 
> On FreeBSD:
> $ setfacl -m u:someuser:rwx:allow somefile
> $ sudo getextattr system posix1e.acl_access somefile
> failed: Attribute not found
> 
> I guess that FreeBSD behaviour is actually not a bug and libacl just uses
> some internal knowledge about how ACL/xattr is implemented on Linux. If
> this is correct, how should I approach implementing this function on
> FreeBSD?
> 
> Thanks in advance.
Apologies in advance if I'm somehow off the mark here.
But MacOS already does this. It might provide better examples for your
needs.
But as I understand it. The underlying file system needs to have space
for, and be aware of your intentions in order to accomplish this. Which
speaks to some degree to the error(s) you're receiving. Indeed. root
will be the only one able fully see these attributes, unless you make
some accommodations for user rights. IOW it'll somehow need to be
incorporated with the permission setup already implemented in the
existing file system.
Again, if I've somehow glossed over your intentions, and missed something.
My apologies.

--Chris
> 
> [1] https://linux.die.net/man/3/acl_extended_file
> [2]
> http://git.savannah.nongnu.org/cgit/acl.git/tree/libacl/acl_extended_file.c
> [3]
> http://git.savannah.nongnu.org/cgit/acl.git/tree/libacl/__acl_extended_file.c
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

More information about the freebsd-hackers mailing list