From: Jan Kara <jack@suse.cz>
To: Theodore Tso <tytso@MIT.EDU>
Cc: Jan Kara <jack@suse.cz>, Eric Sandeen <sandeen@redhat.com>,
ext4 development <linux-ext4@vger.kernel.org>
Subject: Re: [PATCH] ext4: enable acls and user_xattr by default
Date: Thu, 24 Feb 2011 14:57:40 +0100 [thread overview]
Message-ID: <20110224135740.GF23042@quack.suse.cz> (raw)
In-Reply-To: <4688CF7A-2859-465B-B0EC-B4E31800E5F2@mit.edu>
On Thu 24-02-11 07:19:46, Theodore Tso wrote:
>
> On Feb 24, 2011, at 6:49 AM, Jan Kara wrote:
>
> > I agree it may cause surprises although it's not true that ACL's remove
> > rights. Rather on contrary ACL's can only give additional rights (i.e. you
> > have 600 file + user foo can also read it) thus noacl->acl transition might
> > be insecure if you have some old unwanted ACL's pending.
>
> My understanding of how POSIX acls work is that the if you want to give
> read access to user "foo" (where "foo" is not the user) is you first have to
> open up the file permissions to do the equivalent of "o+r".
I've actually tried that before posting my email and it's not like that.
I did:
jack@quack:~/source> echo 'aaa' >/tmp/f
jack@quack:~/source> chmod 600 /tmp/f
jack@quack:~/source> setfacl -m u:nobody:rw /tmp/f
jack@quack:~/source> sudo su nobody -c "cat /tmp/f"
aaa
jack@quack:~/source> sudo su news -c "cat /tmp/f"
cat: /tmp/f: Permission denied
> See: http://acl.bestbits.at/man/man5/acl.txt
>
> And then note how ACL_MASK corresponds to the permissions bits...
OK, I see but then look at setfactl(1), commentary of -n option:
The default behavior of setfacl is to recalculate the ACL mask entry,
unless a mask entry was explicitly given. The mask entry is set to the
union of all permissions of the owning group, and all named user and
group entries. (These are exactly the entries affected by the mask
entry).
So setfacl(1) by default makes the mask logic void.
Honza
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
next prev parent reply other threads:[~2011-02-24 13:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-18 20:31 [PATCH] ext4: enable acls and user_xattr by default Eric Sandeen
2011-02-21 13:46 ` Jan Kara
2011-02-21 17:10 ` Eric Sandeen
2011-02-23 17:31 ` Ted Ts'o
2011-02-24 11:49 ` Jan Kara
2011-02-24 12:19 ` Theodore Tso
2011-02-24 13:57 ` Jan Kara [this message]
2011-02-24 16:49 ` Ted Ts'o
2011-02-24 18:31 ` Jan Kara
2011-02-23 22:51 ` Ted Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110224135740.GF23042@quack.suse.cz \
--to=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=sandeen@redhat.com \
--cc=tytso@MIT.EDU \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).