acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Acl-devel] ACL access disparity observed as per man 5 acl


From: Soham Chakraborty
Subject: [Acl-devel] ACL access disparity observed as per man 5 acl
Date: Tue, 22 Jul 2014 17:27:51 +0530

Hi all,

This is a behavior that I observed very recently while dealing with a customer issue. I think this is the right forum to ask the question. So here it goes.

Situation
________

1) I have a file owned by a non-root user. 
2) I use setfacl -m u:acl:rwx to grant permissions to that file for the new acl user.

The resultant getfacl from the user in 1) is below. 

address@hidden ~]$ getfacl a
# file: a
# owner: soham
# group: soham
user::rwx
user:acl:rwx
group::rw-
mask::rwx
other::r--

The mask here is rwx. 

Therefore, as per the man 5 acl page, which discusses about the Access control algorithm, we have, 

ACCESS CHECK ALGORITHM
     A process may request read, write, or execute/search access to a file object protected by an ACL. The access check algorithm
     determines whether access to the object will be granted.

     1.   If the effective user ID of the process matches the user ID of the file object owner, then

              if the ACL_USER_OBJ entry contains the requested permissions, access is granted,

              else access is denied.

     2.   else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then

              if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,

              else access is denied.

Here, when I am trying to access the file from acl user, my EUID is of the acl user and I have acl user as of the entry tupe ACL_USER. I also have the ACL_MASK as rwx and therefore, acl user should be able to search the file. Is my analysis correct here?

However, I am not being able to access the file as acl user. 

address@hidden ~]$ getfacl /home/soham/a
getfacl: /home/soham/a: Permission denied

As expected from the error message, I have an EACCESS in strace output. 

In further testings, I found out that if I give the acl user, setfacl permissions from within the user who actually owns the FSO, then the acl user is able to access. 

I understand that this might be an expected behavior but I cannot co-relate it with the man page. 

Any help is appreciated. 

Thanks,
Soham

reply via email to

[Prev in Thread] Current Thread [Next in Thread]