[Acl-devel] Getting/setting default ACLs through file descriptors

[Michael Orlitzky]

tl;dr need a way to get/set default ACLs using file descriptors.

I have a utility that can recursively apply one directory's default ACL
to its children. There's a security concern when doing that: if the
default ACL on "foo" grants an unprivileged user write access, then when
I descend and try to apply foo's ACL to "foo/bar", he has an opportunity
to replace "bar" with a symlink or hardlink.

To avoid that, I obtain a file descriptor (in a symlink-free manner)
then and immediately fstat it -- that's the best you can do to avoid
hard links. From then on, I use the fd instead of the path name.

This works great for ACL_TYPE_ACCESS lists, because I can use acl_get_fd
and acl_set_fd. But what if I want to propagate a default ACL from the
directory "foo" to the directory "foo/bar"? There doesn't seem to be a
way to do that safely. The acl*fd functions don't accept a type
argument, and always operate on the ACCESS list. For the default ACLs,
I'm forced to revert to acl_get_file and acl_set_file which take paths,
and the path can change its nature at any time.

Is there a reason for the discrepancy between acl*file and acl*fd? Any
hope of making them agree?