acl-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Acl-devel] Default acl not respected when copying

From: Michael Orlitzky
Subject: Re: [Acl-devel] Default acl not respected when copying
Date: Tue, 14 Oct 2014 09:57:13 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.8.0 
On 10/14/2014 06:19 AM, address@hidden wrote:
> 
> Having acl automatic inheritance working OK on mkdir & touch, I meet the 
> behaviour in title. I read the related posix draft (headache) and also papers 
> and slides from Andreas (mans, rich-alc ...), maybe my poor english is not 
> enough. First I posted help/info requests in debian/ubuntu/coreutils.gnu.org 
> forums/mailing lists with no success.
> 
> ...
> 
> Please, should I submit a bug or do I misunderstand something?
> 

This is a bug in 'cp'. It tries to respect the existing permissions,
which doesn't make sense in the presence of ACLs, because the group bits
aren't group permissions any more after ACLs enter into the picture. If
I remember correctly, the file is copied and inherits the default ACL
but then 'cp' calls chmod on it and clobbers the group bits (which are
now the mask).

There's no easy fix because every utility that moves files around (and
then tries to mess with their permissions) needs to be patched to do
something else when the target directory has a default ACL. It's also
not immediately obvious what should be done. I've written a standalone
tool that attempts to solve the problem:

  http://michael.orlitzky.com/code/apply-default-acl.php

The full algorithm is in the code at,

  http://michael.orlitzky.com/git/?p=apply-default-acl.git

but the test suite (run-tests.sh) is probably the best way to figure out
how it works. I've got test cases for each branch in the code.

To actually fix the problem, you only have one good option: run
apply-default-acl on the target every time you copy a file. If your
system has more than one user, this is obviously ridiculous. Personally
I've patched tar and coreutils:

  http://michael.orlitzky.com/code/releases/tar-1.27.1-gpcc.patch
  http://michael.orlitzky.com/code/releases/coreutils-8.22-gpcc.patch

so that they'll optionally run a command after they create new files.
With those patches and,

  export GNU_POST_CREATE_CMD='apply-default-acl %s'

the apply-default-acl program is called on every newly-created file,
fixing the problem at least for cp, mkdir, and tar (which is good enough
for most use cases). For other programs (like unzip) I still have to log
in as root and fix things.

A better solution would be to have the apply-default-acl routine in the
ACL library. (I've asked before, but got no response.) Then it would be
easier to persuade tar, coreutils and friends to simply call that
function after they create a new file.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]