Skip to content
Advertisement

unexpected behaviour of ACL linux [closed]

Found the strangest behaviour in using acl using the d switch:

Test with the d: in the setfacl commando

create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -md:u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m d:u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m d:u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester

       # owner: root
        # group: root
        user::rwx
        group::r-x
        other::---
        default:user::rwx
        default:user:userA:rwx
        default:user:userB:r-x
        default:user:userC:---
        default:group::r-x
        default:mask::rwx
        default:other::---

Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester

Result: -bash: cd: /var/tmp/tester: Permission denied

Now same test but not using the d: in my acl setfacl commando

create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -m u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester

       # owner: root
        # group: root
        user::rwx
        group::r-x
        other::---
        default:user::rwx
        default:user:userA:rwx
        default:user:userB:r-x
        default:user:userC:---
        default:group::r-x
        default:mask::rwx
        default:other::---

Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester

Result: Success!?

is this expected behaviour? Why does the getfacl does not show any difference in the tests?

Advertisement

Answer

d: is short for default: and specifies the default ACLs for a directory, not the real ACLs. From man 5 acl:

OBJECT CREATION AND DEFAULT ACLs
     The access ACL of a file object is initialized when the object is created
     with any of the creat(), mkdir(), mknod(), mkfifo(), or open() functions.
     If a default ACL is associated with a directory, the mode parameter to
     the functions creating file objects and the default ACL of the directory
     are used to determine the ACL of the new object:

     1.   The new object inherits the default ACL of the containing directory
          as its access ACL.

     2.   The access ACL entries corresponding to the file permission bits are
          modified so that they contain no permissions that are not contained
          in the permissions specified by the mode parameter.

So, yes: it’s normal that you observe different behavior when (not) using d:.

However note that the output from getfacl you have posted is wrong: in the second case (when not using d:) you should have some lines prefixed with user:userA, user:userB, user:userC instead of the lines prefixed with default:. Here’s a simpler example:

$ mkdir a b
$ setfacl -m u:nobody:rx a
$ setfacl -m d:u:nobody:rx b
$ diff -u <(getfacl a) <(getfacl b)
--- /dev/fd/63  2016-03-12 11:10:20.032239216 +0100
+++ /dev/fd/62  2016-03-12 11:10:20.024239117 +0100
@@ -1,9 +1,12 @@
-# file: a
+# file: b
 # owner: andrea
 # group: andrea
 user::rwx
-user:nobody:r-x
 group::rwx
-mask::rwx
 other::r-x
+default:user::rwx
+default:user:nobody:r-x
+default:group::rwx
+default:mask::rwx
+default:other::r-x
Advertisement