Default ACL: Semantics (again)
Andreas Gruenbacher
a.gruenbacher at infosys.tuwien.ac.at
Thu Oct 7 00:00:31 GMT 1999
James Buster wrote:
>
> On Oct 6, 12:36pm, "Peter J. Holzer" wrote:
> } Subject: Re: Default ACL: Semantics (again)
> }
> } On 1999-10-05 13:38:44 +0200, Andreas Gruenbacher wrote:
> } > The rules suggested don't allow, for files created, to grant
> } > different rights to different users. Consider the following
> } > scenario:
> } >
> } > User A shall be allowed to create files, but is not
> } > allowed zo change the files created afterwards.
> } >
> } > User B is allowed to create files, and is also allowed
> } > to change the files afterwards.
> } >
> } > Apart from the fact that with the basic rwx set of permissions,
> } > it is possible for user A to delete and re-create files,
> }
> } It is also possible for user A to change the acl of the file after
> } creation (he is the owner of the file after all) and then write to it.
>
> Even that isn't necessary. creat() ignores both file permissions and
> ACLs when creating files. For example,
> int fd;
> ...
> fd = creat("/tmp/xxx", 0);
Yes. The use of the word `afterwards' above was meant to describe a
point in time when the file has already been closed again. This
behavior of creat() is very useful in a lot of situations.
> [...] What Mr. Gruenbacher wants
> cannot be done without a fundamental change in the semantics of Unix
> file creation.
I just don't see that fundamental change in file creation semantics.
user group other
----+-------+-------+-------+
| r w x | r w x | r w x |
----+-------+-------+-------+
^ ^ ^
| | +-- maps to ACL_OTHER_OBJ
| +-- maps to ACL_GROUP_OBJ or ACL_MASK_OBJ
+-- maps to ACL_USER_OBJ
When a file is created with creat() in a directory that has
a default ACL, there are the following pieces of information:
- the mode parameter to creat()
- the mode field of the file.
- the default ACL.
The mode field of the file has to be initialized in a meaningful way.
For the owner, there are:
(A) the ACL_USER_OBJ ACL entry permission bits.
(B) the user bits in the mode field of the file.
So my understanding of the standard is:
Set both (A) and (B) to the intersection of the default ACL's
ACL_USER_OBJ entry permission bits and the ACL_MASK entry
permission bits.
Correct? Unclear? Wrong?
Let's take an example.
It doesn't matter if this example isn't very useful. I'm
first of all concerned with the mechanisms.
--------------------------- snip ---------------------------
joe at snowball:/acl/d1 > getfacl .
# file: .
# owner: agruenba
# group: users
user::rwx
group::rwx
other:rwx
default:user::---
default:user:joe:rwx
default:user:lisa:r-x
default:group::r-x
default:mask:rwx
default:other:r-x
joe at snowball:/acl/d1 > touch x
joe at snowball:/acl/d1 > getfacl x
# file: x
# owner: joe
# group: toolies
user::---
user:joe:rwx #effective:rw-
group::r-x #effective:r--
mask:rw-
other:r--
joe at snowball:/acl/d1 > cat x
cat: x: Permission denied
joe at snowball:/acl/d1 >
--------------------------- snip ---------------------------
Now the old question was why the permissions joe would
have from the `u:joe:rwx' entry shouldn't get added to the
`user::---' entry.
The result would be:
----------------------- snip (fiction) -----------------------
joe at snowball:/acl/d1 > touch x
joe at snowball:/acl/d1 > getfacl x
# file: x
# owner: joe
# group: toolies
user::rw-
user:joe:rwx #effective:rw-
group::r-x #effective:r--
mask:rw-
other:r--
joe at snowball:/acl/d1 > cat x
joe at snowball:/acl/d1 >
----------------------- snip (fiction) -----------------------
That way, it would be easy to grant another user, lisa,
different permissions on files she creates (nce she has
closed them the first time):
----------------------- snip (fiction) -----------------------
lisa at snowball:/acl/d1 > touch y
lisa at snowball:/acl/d1 > getfacl y
# file: y
# owner: lisa
# group: toolies
user::r--
user:lisa:r-x #effective:r--
user:joe:rwx #effective:rw-
group::r-x #effective:r--
mask:rw-
other:r--
lisa at snowball:/acl/d1 > cat y
lisa at snowball:/acl/d1 >
----------------------- snip (fiction) -----------------------
Why doesn't the standard demand this?
Why doesn't the standard even just allow this?
It's really just a small change, but makes the whole system
a lot more useful, doesn't it?
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, Vienna University of Technology
a.gruenbacher at infosys.tuwien.ac.at
Contact information: http://www.infosys.tuwien.ac.at/~agruenba
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list