Hi all,
This is a behavior that I observed very recently while dealing with a customer issue. I think this is the right forum to ask the question. So here it goes.
Situation
________
1) I have a file owned by a non-root user.
2) I use setfacl -m u:acl:rwx to grant permissions to that file for the new acl user.
The resultant getfacl from the user in 1) is below.
address@hidden ~]$ getfacl a
# file: a
# owner: soham
# group: soham
user::rwx
user:acl:rwx
group::rw-
mask::rwx
other::r--
The mask here is rwx.
Therefore, as per the man 5 acl page, which discusses about the Access control algorithm, we have,
ACCESS CHECK ALGORITHM
A process may request read, write, or execute/search access to a file object protected by an ACL. The access check algorithm
determines whether access to the object will be granted.
1. If the effective user ID of the process matches the user ID of the file object owner, then
if the ACL_USER_OBJ entry contains the requested permissions, access is granted,
else access is denied.
2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
else access is denied.
Here, when I am trying to access the file from acl user, my EUID is of the acl user and I have acl user as of the entry tupe ACL_USER. I also have the ACL_MASK as rwx and therefore, acl user should be able to search the file. Is my analysis correct here?
However, I am not being able to access the file as acl user.
address@hidden ~]$ getfacl /home/soham/a
getfacl: /home/soham/a: Permission denied
As expected from the error message, I have an EACCESS in strace output.
In further testings, I found out that if I give the acl user, setfacl permissions from within the user who actually owns the FSO, then the acl user is able to access.
I understand that this might be an expected behavior but I cannot co-relate it with the man page.
Any help is appreciated.
Thanks,
Soham