| 2012-11-21 11:37:17 |
Andras Bendzsak |
description |
Hi!
According to my experience the Linux Kernel Access Control evaluate wrongly the POSIX ACL-s when a mask is null (mask::---)
Let's see an example:
root@bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::---
^^^^^
other::r--
As we can see the foo user hasn't got any rights on the test file and a mask is zero.
Let's try to read the file as the foo user:
foo@bar:~$ cat /tmp/test
FOOBAR
foo@bar:~$
Success.
According to the documentation (man acl) user foo cannot access the file:
" 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
else access is denied."
If I change the the mask entry to something else:
root@bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::-w-
^^^^^^
other::r--
the foo user cannot read the file:
foo@bar:~$ cat /tmp/test
cat: /tmp/test: Permission denied
I tested with ext4 and tmpfs with the same result. I also tested on a Solaris 9 machine where the permissions work as expected.
System info:
Description: Ubuntu 12.04.1 LTS
Release: 12.04
acl:
Installed: 2.2.51-5ubuntu1
Candidate: 2.2.51-5ubuntu1
Version table:
*** 2.2.51-5ubuntu1 0
500 http://hu.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
100 /var/lib/dpkg/status
Linux bar 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
Thank you for your time and I hope you can find the source of this issue. |
Hi!
According to my experience the Linux Kernel Access Control evaluate wrongly the POSIX ACL-s when a mask is null (mask::---)
Let's see an example:
root@bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::---
^^^^^
other::r--
As we can see the foo user hasn't got any rights on the test file and a mask is zero.
Let's try to read the file as the foo user:
foo@bar:~$ cat /tmp/test
FOOBAR
foo@bar:~$
Success.
According to the documentation (man acl) user foo cannot access the file:
" 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
else access is denied."
If I change the the mask entry to something else:
root@bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::-w-
^^^^^^
other::r--
the foo user cannot read the file:
foo@bar:~$ cat /tmp/test
cat: /tmp/test: Permission denied
I tested with ext4 and tmpfs with the same result. I also tested on a Solaris 9 machine where the permissions work as expected.
System info:
Description: Ubuntu 12.04.1 LTS
Release: 12.04
acl:
Installed: 2.2.51-5ubuntu1
Candidate: 2.2.51-5ubuntu1
Version table:
*** 2.2.51-5ubuntu1 0
500 http://hu.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
100 /var/lib/dpkg/status
Linux bar 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
Thank you for your time and I hope you can find the source of this issue.
---
ApportVersion: 2.0.1-0ubuntu13
Architecture: i386
DistroRelease: Ubuntu 12.04
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
Package: linux
PackageArchitecture: i386
ProcVersionSignature: Ubuntu 3.2.0-29.46-generic-pae 3.2.24
Tags: precise
Uname: Linux 3.2.0-29-generic-pae i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo |
|
