LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-01-2011, 01:15 PM   #1
sctebnt
LQ Newbie
 
Registered: Mar 2011
Location: Illinois
Posts: 4

Rep: Reputation: 0
Why does the ACL of a file created under a directory differ from the default ACL


I would like to have all files created within a directory to contain an ACL based on the default defined for the directory. However each file I creat is assigned an ACL that is different (has effective rights lower than directory and has other's rights set differently than default).

What causes this difference?

Is there something I can do to ensure the files get exactly what I have as the default ACL?

Why are effective reights different than the defined ACL rights until I run a setfacl -m command again?

Here is what I have done:

Code:
a17171@lsbita02:~/testing> getfacl .
# file: .
# owner: a17171
# group: gtbrav2
user::rwx
group::r-x
other::r-x

a17171@lsbita02:~/testing> mkdir mydir
a17171@lsbita02:~/testing> setfacl -d -m u:ndvr:rwx,g:migration:rwx,o:rx mydir
a17171@lsbita02:~/testing> setfacl -m u:ndvr:rwx,g:migration:rwx,o:rx mydir
a17171@lsbita02:~/testing> getfacl mydir
# file: mydir
# owner: a17171
# group: gtbrav2
user::rwx
user:ndvr:rwx
group::r-x
group:migration:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:ndvr:rwx
default:group::r-x
default:group:migration:rwx
default:mask::rwx
default:other::r-x

a17171@lsbita02:~/testing> cd mydir
a17171@lsbita02:~/testing/mydir> touch myfile
a17171@lsbita02:~/testing/mydir> getfacl myfile
# file: myfile
# owner: a17171
# group: gtbrav2
user::rw-
user:ndvr:rwx                   #effective:rw-
group::r-x                      #effective:r--
group:migration:rwx             #effective:rw-
mask::rw-
other::r--

a17171@lsbita02:~/testing/mydir> setfacl -m o:rx myfile
a17171@lsbita02:~/testing/mydir> getfacl myfile
# file: myfile
# owner: a17171
# group: gtbrav2
user::rw-
user:ndvr:rwx
group::r-x
group:migration:rwx
mask::rwx
other::r-x

a17171@lsbita02:~/testing/mydir>
 
Old 12-01-2011, 01:50 PM   #2
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
I just did:
Code:
setfacl -d -m u:testUser:rwx apples/
and it worked.

I think the second setfacl on mydir/ is what is messing it up. Also you should use --

Last edited by kbscores; 12-01-2011 at 01:56 PM.
 
0 members found this post helpful.
Old 12-01-2011, 02:03 PM   #3
sctebnt
LQ Newbie
 
Registered: Mar 2011
Location: Illinois
Posts: 4

Original Poster
Rep: Reputation: 0
I tried you suggestion and I am still not getting the expected value for the other's rights. I expected other to have r-x but am only getting r.

Here is how I tried you idea (not running the 2nd setfacl command):

Code:
a17171@lsbita02:~/testing> mkdir mydir3
a17171@lsbita02:~/testing> setfacl -d -m u:ndvr:rwx,g:migration:rwx,o:rx mydir3
a17171@lsbita02:~/testing> cd mydir3
a17171@lsbita02:~/testing/mydir3> getfacl .
# file: .
# owner: a17171
# group: gtbrav2
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:ndvr:rwx
default:group::r-x
default:group:migration:rwx
default:mask::rwx
default:other::r-x

a17171@lsbita02:~/testing/mydir3> touch myfile
a17171@lsbita02:~/testing/mydir3> getfacl myfile 
# file: myfile
# owner: a17171
# group: gtbrav2
user::rw-
user:ndvr:rwx                   #effective:rw-
group::r-x                      #effective:r--
group:migration:rwx             #effective:rw-
mask::rw-
other::r--

a17171@lsbita02:~/testing/mydir3>
 
Old 12-01-2011, 02:09 PM   #4
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Wait - I see now - Most likely has to do with umask. - When a new files is created it takes 666 instead of 777 -- if you make a directory and it comes out correct then it most likely is a bug with setfacl - which after testing it looks like it is case.

Well -- technically not a bug seeing as that is how it is intended for new files.

Last edited by kbscores; 12-01-2011 at 02:11 PM.
 
1 members found this post helpful.
Old 12-01-2011, 05:00 PM   #5
sctebnt
LQ Newbie
 
Registered: Mar 2011
Location: Illinois
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks, I now see why it is not possible to have the execute permission part of a file's default. Here is a little more information showing why.

Permissions and their bits
0-000 none
1-001 x
2-010 w
3-011 wx
4-100 r
5-101 rx
6-110 rw
7-111 rwx

If we have a umask value for other of 2 then the following will occur.

010 2 mask
101 5 complement of mask
110 6 system file access (directories use 7)

100 4 resulting and of the complement mask and system value (read only)

Looking at the above chart, we can see it is never possible to default permission to include x (execute). Since system value of 6 (110) contains a 0 in the bit position of the permissions for execute (001,011,111). It is impossible to "and" a 0 to anything to get a 1 (execute bit).

So in the end, if you create a file for execution, you must always run the chmod or setfacl command to force the execute permission bit to be on.

Please feel free to correct me on anything I missed, I am still a Linux newbie.
 
Old 12-02-2011, 08:13 AM   #6
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Sorry - yea when a new file is created umask is subtracted from 666 so you can have anything 6 or less - which is slightly frustrating. They do it for security purposes, but it would sure be nice to create a script in a script folder and have it run without having to change permissions.
 
  


Reply

Tags
acl, default


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Disable ACL permissions from being created in a Samba share? JeffC1 Linux - Software 2 01-21-2011 08:16 PM
Default file ownership and ACL sbabcock23 Linux - Security 2 04-17-2009 03:02 AM
how to attach acl created in squid using webmin to delay pool? linuxlover.chaitanya Linux - Server 9 04-19-2008 12:27 AM
Not able to attach acl created in squid to delay pool linuxlover.chaitanya Linux - Newbie 0 04-17-2008 01:54 AM
iptables acl versus cisco acl id_viorel Linux - Security 1 04-09-2008 05:00 AM


All times are GMT -5. The time now is 05:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration