Nathanael Jean-Francois wrote:
Hi all,
I've run into the little snag with default acl
permissions, the issue was brought up in this thread
http://marc.theaimsgroup.com/?l=freebsd-questions&m=111118504532207&w=2
but there was no reply to it and my digging so far
hasn't turned up anything substantial. If anyone knows
of a solution for this please let me know. Thanks
-Nathanael
Hello,
I don't understand the acl and mask support for defaults.
But I have found a way to make them work as I *think*
they should.
Here is an example similar to the one in the link you provided.
# mount
/dev/ad2s1h on /home (ufs, local, soft-updates, acls)
# cd /home
# mkdir cvsroot
# chown cvs:cvs cvsroot
# chmod 2770 cvsroot
# ls -la
drwxrws--- 2 cvs cvs 512 Jun 17 23:46 cvsroot/
# umask
22
# touch cvsroot/te
# ls -la cvsroot/te
-rw-r--r-- 1 root cvs 0 Jun 17 23:48 cvsroot/te
# umask 0007 <----- this turns out to be the solution.
# touch cvsroot/tes
# ls -la cvsroot/tes
-rw-rw---- 1 root cvs 0 Jun 18 02:00 cvsroot/tes
Now for the acls part.
# setfacl -d -m u::rwx,m::rwx,g::rwx,o::--- cvsroot/
# getfacl -d cvsroot/
#file:cvsroot/
#owner:1012
#group:1012
user::rwx
group::rwx
mask::rwx
other::---
Ok, so far so good.
# touch cvsroot/test
# getfacl cvsroot/test
#file:cvsroot/test
#owner:0
#group:1012
user::rw-
group::rwx # effective: rw-
mask::rw-
other::---
Hmmm. Ok, so it didn't make it executable. A good thing.
Add some groups to the default acl on cvsroot/
# setfacl -d -m g:cvsuser:r-x,g:cvsadmin:rwx cvsroot/
# getfacl -d cvsroot/
#file:cvsroot/
#owner:1012
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---
Now the acl entries on cvsroot/ itself:
# setfacl -m g:cvsuser:r-x,g:cvsadmin:rwx cvsroot/
# getfacl cvsroot/
#file:cvsroot/
#owner:1012
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---
What I Want
1. All new files created to be read for cvsuser.
2. New directories to be read/exec for cvsuser.
3. All files created to be read/write for cvsadmin.
4. New directories to be read/write/exec for cvsadmin.
5. The defaults will propagate down the tree so that sub-sub
directories inherit the same permissions.
6. The user and group cvs has full control.
7. Any other users have no permissions.
What I Get
# mkdir cvsroot/dir1
# touch cvsroot/file1
# ls -lad cvsroot/*
drwxrwx---+ 2 root cvs 512 Jun 18 02:19 cvsroot/dir1/
-rw-rw----+ 1 root cvs 0 Jun 18 02:19 cvsroot/file1
Looks OK from that angle. Items 6 and 7 are satisfied.
# getfacl cvsroot/*
#file:cvsroot/dir1
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---
Good. Items 2 and 4 are satisfied.
#file:cvsroot/file1
#owner:0
#group:1012
user::rw-
group::rwx # effective: rw-
group:cvsuser:r-x # effective: r--
group:cvsadmin:rwx # effective: rw-
mask::rw-
other::---
Better. Items 1 and 3 are satisfied.
Finally:
# getfacl -d cvsroot/dir1
#file:cvsroot/dir1
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---
# touch cvsroot/dir1/file2
# mkdir cvsroot/dir1/dir2
# ls -lad cvsroot/dir1/*
drwxrwx---+ 2 root cvs 512 Jun 18 02:26 cvsroot/dir1/dir2/
-rw-rw----+ 1 root cvs 0 Jun 18 02:26 cvsroot/dir1/file2
# getfacl -d cvsroot/dir1/dir2/
#file:cvsroot/dir1/dir2/
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---
# getfacl cvsroot/dir1/dir2/
#file:cvsroot/dir1/dir2/
#owner:0
#group:1012
user::rwx
group::rwx
group:cvsuser:r-x
group:cvsadmin:rwx
mask::rwx
other::---
# getfacl cvsroot/dir1/file2
#file:cvsroot/dir1/file2
#owner:0
#group:1012
user::rw-
group::rwx # effective: rw-
group:cvsuser:r-x # effective: r--
group:cvsadmin:rwx # effective: rw-
mask::rw-
other::---
Excellent. Item 5 is satisfied. Those are all my requirements.
This entire discovery process, although nice and tidy above,
was filled with a certain amount of grief. It was only until
I reset the umask to 0007 that things started to work as
expected.
Now this bothers me for two reasons. I don't want my umask
to have to be 0007. What if I'm in a working directory that
doesn't require propagating acls? Then I'm stuck setting my
umask back to something sensible like 0027 before creating
files without extended acl entries. I have a difficult time
remembering little details like that.
Not only that, but I'll have to remember to set it back to
0007 (or maybe 0000, horrors) if I want to use propagating
acls and have them behave as I expect as shown above.
I can easily set a process' umask through cron et al, but how
do I set it for cvs users using the protocol :ext:server:/home/cvsroot
with ssh?
Can anyone explain this further? Thanks.
Mark
P.S. Below is the behaviour that perplexed me earlier.
It is not what I expect and does not meet my requirements 1-7
above. I consider the application of the, shall we say, old
umask context to the new acl context to be a design error of
sorts. User mv and group cvsadmin are supposed to have write
access to new files and directories.
# umask
22
# mkdir dir1
# ls -la dir1
total 4
drwxr-xr-x 2 root wheel 512 Jun 18 02:43 ./
drwxr-xr-x 14 root wheel 512 Jun 18 02:43 ../
# setfacl -d -m u::rwx,m::rwx,g::r-x,o::--- dir1
# setfacl -m u::rwx,m::rwx,g::r-x,o::--- dir1
# getfacl dir1
#file:dir1
#owner:0
#group:0
user::rwx
group::r-x
mask::rwx
other::---
# getfacl -d dir1
#file:dir1
#owner:0
#group:0
user::rwx
group::r-x
mask::rwx
other::---
# setfacl -d -m u:mv:-w-,g:cvsadmin:rwx dir1
# setfacl -m u:mv:-w-,g:cvsadmin:rwx dir1
# getfacl dir1
#file:dir1
#owner:0
#group:0
user::rwx
user:mv:-w-
group::r-x
group:cvsadmin:rwx
mask::rwx
other::---
# getfacl -d dir1
#file:dir1
#owner:0
#group:0
user::rwx
user:mv:-w-
group::r-x
group:cvsadmin:rwx
mask::rwx
other::---
# touch dir1/file1
# mkdir dir1/dir2
# getfacl dir1/*
#file:dir1/dir2
#owner:0
#group:0
user::rwx
user:mv:-w- # effective: ---
group::r-x
group:cvsadmin:rwx # effective: r-x
mask::r-x
other::---
#file:dir1/file1
#owner:0
#group:0
user::rw-
user:mv:-w- # effective: ---
group::r-x # effective: r--
group:cvsadmin:rwx # effective: r--
mask::r--
other::---
Finally, for clarity, the following does meet the requirements:
# umask 0007
# touch dir1/file2
# mkdir dir1/dir3
# getfacl dir1/*
#file:dir1/dir3
#owner:0
#group:0
user::rwx
user:mv:-w-
group::r-x
group:cvsadmin:rwx
mask::rwx
other::---
#file:dir1/file2
#owner:0
#group:0
user::rw-
user:mv:-w-
group::r-x # effective: r--
group:cvsadmin:rwx # effective: rw-
mask::rw-
other::---
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"