Starting Point.

Robert Watson rwatson at FreeBSD.org
Thu May 6 17:56:21 GMT 2004 

On Thu, 6 May 2004, Wade Klaver wrote:

> Regarding UFS_ACL,  In my kernel I have:
> options         UFS_ACL                 #Support for access control lists
> After setting acls as an option to fstab, mount show:
> /dev/ad0s2f on /usr (ufs, local, soft-updates, acls)
> 
> Dope!  I see you can apply the acls option to a ufs, not ufs2 partition. 
> I guess that could be the root of my problem.  Any ufs->ufs2 upgrade
> path?  Once I fix this, I will make sure that the ls issue is not
> related prior to sending a PR. 

You can actually use ACLs with UFS1, but the configuration process is
quite a bit more complex, and also it is less reliable in the presence of
a crash or file system damage.  You can find instructions for doing this
in the FreeBSD kernel source tree in the following two files:

  src/sys/ufs/ufs/README.extattr
  src/sys/ufs/ufs/README.acls

This model for configuration extended attributes and ACLs is not
documented in the handbook, etc, because it's really not the preferred way
to do it.  I would recommend updating to ufs2.  Unfortunately, the update
mechanism is a little less than user friendly: you basically have to
backup, newfs, and restore.  My suspicion is that you installed 5.x on the
box originally with 5.0, which wasn't able to boot from UFS2, so would
create the root file system as UFS1?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research


> 
>  -Wade
> 
> On May 6, 2004 09:54, Robert Watson wrote:
> > On Thu, 6 May 2004, Wade Klaver wrote:
> > >   I will take whatever you have at this point.  Even references to some
> > > writing of a more theoretical nature that does a good job of explaining
> > > the nature and implementation of trusted systems would be good.  Also,
> > > if there is a number of these partially complete documents in need of
> > > consolidation, I could take a shoot at it.  The best stuff I have
> > > managed to track down comes out of the freebsd-security list archives.
> > > I just have some funny goings on that I am sure are related to initial
> > > configuration issues.  If this is not the case, please let me know.
> > > Things like:
> > >   When a non-root user issues a 'ls -l', I get things like:
> > > ls: ./cmp.sh: Operation not supported
> > > -rw-r--r--  1 wade  wheel       134 Oct 31  2002 cmp.sh
> > > raised by:
> > > __acl_get_file(0xbfbfdc90,0x0,0x8052400)         ERR#45 'Operation not
> > > supported'
> > >
> > > Same problems with the FACL stuff:
> > > root at arch-/home/wade:setfacl -m u:wade:rw c
> > > setfacl: acl_get_file() failed: Operation not supported
> >
> > Sounds like a couple of problems:
> >
> > 1. It looks like ls(1) no longer masks the error it gets back to check for
> >    ACLs if it gets EOPNOTSUPP.  There was a recent change to ls(1) to
> >    improve performance when checking for the presence of ACLs, so it could
> >    be a result of that change.
> >
> > 2. It looks like you may not have UFS_ACL compiled into your kernel
> >    configuration.  This option is required in order to enable ACLs on UFS
> >    file systems.  Normally, it appears in the GENERIC kernel
> >    configuration, so you might want to check that it wasn't
> >    unintentionally removed from your configuration.
> >
> > 3. It's not clear that ACLs are enabled on the file system that you're
> >    attempting to use them on.
> >
> > Take a look at the documentation here:
> >
> >   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/fs-acl.html
> >
> > It explains how to configure ACLs on a file system, and check to make sure
> > that both the kernel configuration and file system configuration are
> > correct.  If you could also use send-pr(1) to file a bug report for the
> > ls(1) problem, that would be great.
> >
> > Thanks!
> >
> > Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> > robert at fledge.watson.org      Senior Research Scientist, McAfee Research
> 
> -- 
> Wade Klaver
> Wavefire Technologies Corporation
> GPG Public Key at http://archeron.wavefire.com
> 
> /"\   ASCII Ribbon Campaign  .
> \ / - NO HTML/RTF in e-mail  .
>  X  - NO Word docs in e-mail .
> / \ -----------------------------------------------------------------
> 


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list