LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-28-2015, 11:06 AM   #1
davemha
LQ Newbie
 
Registered: Jun 2012
Posts: 10

Rep: Reputation: Disabled
"ls -l" shows wrong permissions for group when ACLs set


LFS permissions are set as:
-rw-r-----. 1 root testgroup 6 Jul 28 10:55 testfile

Then,
setfacl -m u:bob:rw testfile

And ls -l yields:
-rw-rw----+ 1 root testgroup 6 Jul 28 10:55 testfile

Notice the change in the group write permission. However, getfacl says:
user::rw-
user:bob:rw-
group::r--
mask::rw-
other::---

And, in testing, members of testgroup can read the file but not write to it. In other words, getfacl shows the true permissions while ls -l is wrong.

It seems to be related to the mask. If I change the mask, to "r" then the group shows only "r" permissions as well. But then Bob's effective permissions are also only "r". I know the mask overrides the group in the negative direction but it's not additive - it's the MAX permissions on a file.

Why is ls -l not giving the correct information?

This is CentOS 7 on an XFS formatted drive.

Last edited by davemha; 07-28-2015 at 11:09 AM. Reason: Add distro info
 
Old 09-22-2015, 09:49 AM   #2
davemha
LQ Newbie
 
Registered: Jun 2012
Posts: 10

Original Poster
Rep: Reputation: Disabled
Bump

Still trying to figure this one out. I've googled more and still coming up empty for answers. Anyone have an idea what might be happening?
 
Old 09-22-2015, 10:46 AM   #3
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
man 5 acl, specifically, the "CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS" section.
Quote:
If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry.
On Slackware it doesn't seem possible to create an acl without a mask entry (not with setfacl at any rate), so that second part may not be a practical consideration.

Basically,
If the group permissions show 'rwx' then you might have any of r,w, or x permissions granted from the acl, but equally, you might not.
If the group permissions show 'r-x' then you definitely won't have 'w', but may have one, or both of the other two; though again, you might not.

If you want to know for certain, you're going to have to run getfacl.


ACLs are ugly, which is why most people avoid them like the plague.

Hope that helps.

Last edited by GazL; 09-22-2015 at 10:48 AM.
 
Old 09-22-2015, 11:36 AM   #4
davemha
LQ Newbie
 
Registered: Jun 2012
Posts: 10

Original Poster
Rep: Reputation: Disabled
Thanks GazL. So you're basically saying that, if we use ACLs, we shouldn't trust ls. To me, that's a bug that the coreutils group should address. But, ok, if that's the answer for now then that's the answer.

BTW, I like ACLs. I avoid them if possible just because they are complex and adding needless complexity is never a good idea. But I like that they're there and, when I do use them, they're powerful.
 
Old 09-22-2015, 11:54 AM   #5
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
Yes, ACL's are useful when you need additional flexibility, but what you have to remember is that ACLs were essentially an after thought/extension to UNIX so they don't integrate completely with the original UNIX owner/group/other model, and that's why tools like ls don't cater for them. A switch on ls that shows 'effective rights' for the calling user probably wouldn't be a bad idea, though it'd probably slow ls down quite a lot.
 
  


Reply

Tags
file permissions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Error:: "wrong # args: should be "set varName ?newValue?" " while running TCL script rc49 Linux - Newbie 2 09-15-2016 12:01 AM
ERROR: nvidia: wrong # of devices in Raid set "***********" bluefish1 Linux - Server 3 02-28-2012 06:48 PM
baselayout2 -`date` shows UTC althrough I set CLOCK="local"? quanta Gentoo 0 01-11-2011 01:08 AM
(server) I'm needing to change the permissions of a "group" ace77aw2 Linux - Newbie 2 09-25-2008 06:38 AM
strange group and user set to "573" in linux-2.4.27 tree structure xround Linux - General 2 10-12-2004 11:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration