Relative vs. absolute ACLs, and necessity for '-' when printing

Andreas Gruenbacher ag at moses.parsec.at
Tue Dec 19 05:49:25 GMT 2000 

On Mon, 18 Dec 2000, Casey Schaufler wrote:

> Robert Watson wrote:
> > 
> > Two quickies:
> > 
> > 1) The POSIX.2c setfacl spec refers to "absolute" and "relative" ACLs.  In
> > permission-land, the difference has to with the use of an operator ('-',
> > '+') rather than specification of a mode directly.  In ACLs, I would guess
> > it involves invidual entries in the ACL using operators rather than
> > absolutely specifying the rights, but I was unable to find this definition
> > in .1e or .2c  Could someone point me in the right direction?
> 
> The intention is for setfacl("u:casey:-w") to delete Casey's write
> access to the file. 

*Ouch* !

The letter `-' is already a reserved letter, meaning `no access by this
ACL entry'. This is in section 8.1.7, page 17 of 1003.2c draft 17. The
same section specifies both the format for getfacl and setfacl. (The draft
doesn't specify a letter for adding permissions.) This is literally from
draft 17:


  The third field contains the discretionary access permissions. This
  standard defines the following symbolic discretionary access 
  permissions:

    r  Read access
    w  Write access
    x  Execute/search access
    -  No access by this ACL entry.

  The discretionary access permissions field shall contain exactly one
  each of the following characters in the following order: r, w, and x.
  Each of these may be replaced by the "-" character to indicate no 
  access. An implementation may define additional characters following
  the required characters that represent implementation-defined
  permissions.

Consider this sequence of commands:

  getfacl file1 | setfacl -b -M - file2

Getfacl returns say,

  # file: file1
  # owner: joe
  # group: users
  user::rw-
  group:-w-
  other:---

With `-' meaning `remove the following permission(s)', how is setfacl
supposed to interpret the output of getfacl?


> > 2) The .2c getfacl specification states that a given right letter ("w",
> > for example) "may" be replaced by a "-" if the right is not present.
> 
> Thus, o::x, o::-x, o::--x ougth to be eqivalent. In Irix we let you
> toss a '-' in anywhere you want, and don't require the access mode
> specifications to be in any particular order. Thus, o::rw, o::r-w,
> o::rw-, o::---------w--------r---------- are all legal, and
> equivalent.

This seems to contradict your response to question one.


Regards,
Andreas.

------------------------------------------------------------------------
 Andreas Gruenbacher, a.gruenbacher at computer.org
 Contact information: http://www.bestbits.at/~ag/

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list