Non-trivial ACLs only?

Dr. Rolf Jansen rj at obsigna.com
Mon Jul 14 19:14:54 UTC 2014 

Am 14.07.2014 um 05:58 schrieb Edward Tomasz Napierała <trasz at FreeBSD.org>:

Many thanks for your response, I very much appreciate your help. I think, I am almost there.

>> OK, how then can I find out if there are ACLs set on directories or not. Please consider the following code snippet:
> 
> Two of the three cases in your mail were correct.  It's just
> that the one for ACL_TYPE_DEFAULT was wrong.
> 
>> #include <stdio.h>
>> #include <sys/types.h>
>> #include <sys/stat.h>
>> #include <sys/acl.h>
>> 
>> int main(int argc, char *const argv[])
>> {
>>   mkdir("test_acl_dir", 0755);
>> 
>>   if (acl_get_link_np("test_acl_dir", ACL_TYPE_DEFAULT))
>>      printf("ACL found.\n");
>>   else
>>      printf("ACL not found.\n");
>> 
>>   return 0;
>> }
>> 
>> clang acltest.c -o acltest
>> rm -rf test_acl_dir && ./acltest
>> 
>> On FreeBSD 9.2, the above command sequence results in "ACL found." Actually no ACL has been set, and I would have expected, that any acl_get_*() function would have returned NULL. So, why does it return a result which is so completely non-sense for the copy purpose?
> 
> Because NULL return means error, and in this case there is no
> error - it's just that there is no default ACL set.  In FreeBSD,
> this is expressed by empty (zero entries) ACL.

Please consider the following variant of the above example:

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/acl.h>

struct acl_t_head
{
	unsigned int acl_maxcnt;
	unsigned int acl_cnt;
};
typedef struct acl_t_head *acl_head_t;

int main(int argc, char *const argv[])
{
   mkdir("test_acl_dir", 0755);

   acl_head_t acl = acl_get_link_np("test_acl_dir", ACL_TYPE_ACCESS);
   if (acl->acl_cnt)
      printf("ACL found: %d of %d entries.\n", acl->acl_cnt, acl->acl_maxcnt);
   else
      printf("ACL not found: %d of %d entries.\n", acl->acl_cnt, acl->acl_maxcnt);

   return 0;
}

clang acltest.c -o acltest
rm -rf test_acl_dir && ./acltest

The above command sequence results in:
   ACL found: 3 of 254 entries.

Anyway, I actually start wondering whether my file system cloning tool needs to address the ACLs via the respective API at all. It doesn't want to process any ACL, but if present, only transfer it from the original to the cloned file system item. I will have a closer look now on the posix1e.acl_access, posix1e.acl_default, and nfs4.acl extended attributes. Perhaps it is as simple, to straightly copy over everything what is in the extattr system name space.

Best regards

Rolf

More information about the posix1e mailing list