LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   "ls -l" shows wrong permissions for group when ACLs set (https://www.linuxquestions.org/questions/linux-security-4/ls-l-shows-wrong-permissions-for-group-when-acls-set-4175549165/)

davemha 07-28-2015 11:06 AM
"ls -l" shows wrong permissions for group when ACLs set
 
LFS permissions are set as:
-rw-r-----. 1 root testgroup 6 Jul 28 10:55 testfile

Then,
setfacl -m u:bob:rw testfile

And ls -l yields:
-rw-rw----+ 1 root testgroup 6 Jul 28 10:55 testfile

Notice the change in the group write permission. However, getfacl says:
user::rw-
user:bob:rw-
group::r--
mask::rw-
other::---

And, in testing, members of testgroup can read the file but not write to it. In other words, getfacl shows the true permissions while ls -l is wrong.

It seems to be related to the mask. If I change the mask, to "r" then the group shows only "r" permissions as well. But then Bob's effective permissions are also only "r". I know the mask overrides the group in the negative direction but it's not additive - it's the MAX permissions on a file.

Why is ls -l not giving the correct information?

This is CentOS 7 on an XFS formatted drive.

davemha 09-22-2015 09:49 AM
Bump
 
Still trying to figure this one out. I've googled more and still coming up empty for answers. Anyone have an idea what might be happening?

GazL 09-22-2015 10:46 AM
man 5 acl, specifically, the "CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS" section.
Quote:
If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry.
On Slackware it doesn't seem possible to create an acl without a mask entry (not with setfacl at any rate), so that second part may not be a practical consideration.

Basically,
If the group permissions show 'rwx' then you might have any of r,w, or x permissions granted from the acl, but equally, you might not.
If the group permissions show 'r-x' then you definitely won't have 'w', but may have one, or both of the other two; though again, you might not.

If you want to know for certain, you're going to have to run getfacl.


ACLs are ugly, which is why most people avoid them like the plague.

Hope that helps.

davemha 09-22-2015 11:36 AM
Thanks GazL. So you're basically saying that, if we use ACLs, we shouldn't trust ls. To me, that's a bug that the coreutils group should address. But, ok, if that's the answer for now then that's the answer.

BTW, I like ACLs. I avoid them if possible just because they are complex and adding needless complexity is never a good idea. But I like that they're there and, when I do use them, they're powerful.

GazL 09-22-2015 11:54 AM
Yes, ACL's are useful when you need additional flexibility, but what you have to remember is that ACLs were essentially an after thought/extension to UNIX so they don't integrate completely with the original UNIX owner/group/other model, and that's why tools like ls don't cater for them. A switch on ls that shows 'effective rights' for the calling user probably wouldn't be a bad idea, though it'd probably slow ls down quite a lot.


All times are GMT -5. The time now is 12:48 PM.