setfacl(2.4.0.14): recalculation of the ACL mask entry

setfacl(2.4.0.14): recalculation of the ACL mask entry

[Houder]

Hi Corinna,

According to acl(5), the mask entry (as reported by getacl) is 
"optional" if the
acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ... 
Ahem.

VALID ACLs (from acl(5) )

      A valid ACL contains exactly one entry with each of the 
ACL_USER_OBJ,
      ACL_GROUP_OBJ, and ACL_OTHER tag types. Entries with ACL_USER and
      ACL_GROUP tag types may appear zero or more times in an ACL. An ACL
      that contains entries of ACL_USER or ACL_GROUP tag types must 
contain
      exactly one entry of the ACL_MASK tag type. If an ACL contains no
      entries of ACL_USER or ACL_GROUP tag types, the ACL_MASK entry is
      optional.

However, setfacl(1) and your setfacl also note, that the default 
behaviour of
setfacl is to recalculate the mask entry ...

%% setfacl -h
Usage: setfacl [-n] {-f ACL_FILE | -s acl_entries} FILE...
        setfacl [-n] {[-bk]|[-x acl_entries] [-m acl_entries]} FILE...
[snip]

-n, --no-mask
   Valid in conjunction with -m.  Do not recalculate the effective rights
   mask. The default behavior of setfacl is to recalculate the ACL mask 
entry,
   unless a mask entry was explicitly given.  The mask entry is set to 
the
   union of all permissions of the owning group, and all named user and 
group
   entries.  (These are exactly the entries affected by the mask entry).
[snip]

I decided to experiment ... See below. (the mask entry is not 
recalculated, it
appears).

Regards,
Henri

-----
%% uname -a
CYGWIN_NT-6.1-WOW Seven 2.4.0(0.292/5/3) 2015-12-20 13:18 i686 Cygwin
%% id
uid=1000(Henri) gid=513(None) 
groups=513(None),1007(HelpLibraryUpdaters),559(Performance Log 
Users),545(Users),11(Authenticated Users)

%% touch foo.txt
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
other:r--

%% setfacl -m g:Replicator:rw- foo.txt
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
group:Replicator:rw-
mask:rw-
other:r--

%% setfacl -x g:Replicator: foo.txt # and remove it again
%% getfacl foo.txt
# file: foo.txt
# owner: Henri
# group: None
user::rw-
group::r--
mask:rw- <==== mask is now optional according to acl(5), but ...
other:r--

%% ls -l foo.txt
-rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt <==== OK, but ...
%%

Ok, the permissions correspond with the mask (see acl(5) ), but 
according to setfacl(1),
the mask should have been recalculated ...

According to acl(5):
ACL ENTRIES

ACL_MASK  The ACL_MASK entry denotes the maximum access
           rights that can be granted by entries of type
           ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.

Recalculation by me in this case, yields: mask:r--

(perhaps, as suggested by Sam, I should retire ... it is all getting 
beyond
  simple is it not?)

  ### switch from user Henri to user Test
(can another user with the same gid, modify the file?)

%% pwd
/home/Test
%% cd ../Henri
%% id
uid=1006(Test) gid=513(None) 
groups=513(None),545(Users),11(Authenticated Users)
%% ls -l foo.txt
-rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt
%% echo Corinna > foo.txt
bash: foo.txt: Permission denied <==== OK, but the permissions as shown, 
are
                                        misleading, are they not?
%%

=====

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl(2.4.0.14): recalculation of the ACL mask entry

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]

On Dec 20 18:52, Houder wrote:
> Hi Corinna,
> 
> According to acl(5), the mask entry (as reported by getacl) is "optional" if
> the
> acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ... Ahem.
> [...]
> However, setfacl(1) and your setfacl also note, that the default behaviour
> of
> setfacl is to recalculate the mask entry ...
> [...]
> I decided to experiment ... See below. (the mask entry is not recalculated,
> it
> appears).

It is, but only in a limit number of scenarios.  I completely forgot
about recalculating when deleteing ACEs, in fact.  I checked this
against setfacl on Linux again, appied a patch and uploaded a new test
release 2.4.0-0.15.  The mask recalculation behaviour should now be
as close as possible to Linux, I hope.  I also renamed the --substitute
option to --set, as with Linux setfacl.

Please give it a try.  Just, if it's still wrong, I guess a patch has
to wait until after the holidays.


Thanks a lot for testing this so extensively,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: setfacl(2.4.0.14): recalculation of the ACL mask entry

[Houder]

On 2015-12-21 13:46, Corinna Vinschen wrote:
> On Dec 20 18:52, Houder wrote:
>> Hi Corinna,
>> 
>> According to acl(5), the mask entry (as reported by getacl) is 
>> "optional" if
>> the
>> acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ... 
>> Ahem.
>> [...]
>> However, setfacl(1) and your setfacl also note, that the default 
>> behaviour
>> of
>> setfacl is to recalculate the mask entry ...
>> [...]
>> I decided to experiment ... See below. (the mask entry is not 
>> recalculated,
>> it
>> appears).
> 
> It is, but only in a limit number of scenarios.  I completely forgot
> about recalculating when deleteing ACEs, in fact.  I checked this
> against setfacl on Linux again, appied a patch and uploaded a new test
> release 2.4.0-0.15.  The mask recalculation behaviour should now be
> as close as possible to Linux, I hope.  I also renamed the --substitute
> option to --set, as with Linux setfacl.
> 
> Please give it a try.  Just, if it's still wrong, I guess a patch has
> to wait until after the holidays.

Euh ... no problem here. Go, have a holiday!

Regards,
Henri

> 
> 
> Thanks a lot for testing this so extensively,
> Corinna


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: setfacl(2.4.0.14): recalculation of the ACL mask entry

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1353 bytes --]

On Dec 21 14:11, Houder wrote:
> On 2015-12-21 13:46, Corinna Vinschen wrote:
> >On Dec 20 18:52, Houder wrote:
> >>Hi Corinna,
> >>
> >>According to acl(5), the mask entry (as reported by getacl) is
> >>"optional" if
> >>the
> >>acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ...
> >>Ahem.
> >>[...]
> >>However, setfacl(1) and your setfacl also note, that the default
> >>behaviour
> >>of
> >>setfacl is to recalculate the mask entry ...
> >>[...]
> >>I decided to experiment ... See below. (the mask entry is not
> >>recalculated,
> >>it
> >>appears).
> >
> >It is, but only in a limit number of scenarios.  I completely forgot
> >about recalculating when deleteing ACEs, in fact.  I checked this
> >against setfacl on Linux again, appied a patch and uploaded a new test
> >release 2.4.0-0.15.  The mask recalculation behaviour should now be
> >as close as possible to Linux, I hope.  I also renamed the --substitute
> >option to --set, as with Linux setfacl.
> >
> >Please give it a try.  Just, if it's still wrong, I guess a patch has
> >to wait until after the holidays.
> 
> Euh ... no problem here. Go, have a holiday!

Thanks :)


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]