setfacl(2.4.0.14): recalculation of the ACL mask entry

Houder houder@xs4all.nl
Sun Dec 20 17:53:00 GMT 2015 

Hi Corinna,

According to acl(5), the mask entry (as reported by getacl) is 
"optional" if the
acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ... 
Ahem.

VALID ACLs (from acl(5) )

      A valid ACL contains exactly one entry with each of the 
ACL_USER_OBJ,
      ACL_GROUP_OBJ, and ACL_OTHER tag types. Entries with ACL_USER and
      ACL_GROUP tag types may appear zero or more times in an ACL. An ACL
      that contains entries of ACL_USER or ACL_GROUP tag types must 
contain
      exactly one entry of the ACL_MASK tag type. If an ACL contains no
      entries of ACL_USER or ACL_GROUP tag types, the ACL_MASK entry is
      optional.

However, setfacl(1) and your setfacl also note, that the default 
behaviour of
setfacl is to recalculate the mask entry ...

%% setfacl -h
Usage: setfacl [-n] {-f ACL_FILE | -s acl_entries} FILE...
        setfacl [-n] {[-bk]|[-x acl_entries] [-m acl_entries]} FILE...
[snip]

-n, --no-mask
   Valid in conjunction with -m.  Do not recalculate the effective rights
   mask. The default behavior of setfacl is to recalculate the ACL mask 
entry,
   unless a mask entry was explicitly given.  The mask entry is set to 
the
   union of all permissions of the owning group, and all named user and 
group
   entries.  (These are exactly the entries affected by the mask entry).
[snip]

I decided to experiment ... See below. (the mask entry is not 
recalculated, it
appears).

Regards,
Henri

-----
%% uname -a
CYGWIN_NT-6.1-WOW Seven 2.4.0(0.292/5/3) 2015-12-20 13:18 i686 Cygwin
%% id
uid=1000(Henri) gid=513(None) 
groups=513(None),1007(HelpLibraryUpdaters),559(Performance Log 
Users),545(Users),11(Authenticated Users)

%% touch foo.txt
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
other:r--

%% setfacl -m g:Replicator:rw- foo.txt
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
group:Replicator:rw-
mask:rw-
other:r--

%% setfacl -x g:Replicator: foo.txt # and remove it again
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
mask:rw- <==== mask is now optional according to acl(5), but ...
other:r--

%% ls -l foo.txt
-rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt <==== OK, but ...
%%

Ok, the permissions correspond with the mask (see acl(5) ), but 
according to setfacl(1),
the mask should have been recalculated ...

According to acl(5):
ACL ENTRIES

ACL_MASK  The ACL_MASK entry denotes the maximum access
           rights that can be granted by entries of type
           ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.

Recalculation by me in this case, yields: mask:r--

(perhaps, as suggested by Sam, I should retire ... it is all getting 
beyond
  simple is it not?)

  ### switch from user Henri to user Test
(can another user with the same gid, modify the file?)

%% pwd
/home/Test
%% cd ../Henri
%% id
uid=1006(Test) gid=513(None) 
groups=513(None),545(Users),11(Authenticated Users)
%% ls -l foo.txt
-rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt
%% echo Corinna > foo.txt
bash: foo.txt: Permission denied <==== OK, but the permissions as shown, 
are
                                        misleading, are they not?
%%

=====

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list