ACLs - Mask - permissions defined in the owner and owning group entries

deoren · 03-02-2015, 10:13 PM

First of all, thank you for reading this. I'm new to POSIX ACLs, so I've been doing a lot of reading on the subject. I found many sources, one of those being the openSUSE Security Guide.

In both of these versions (with 12.1 where I first found it mentioned):

https://doc.opensuse.org/documentati...rity.acls.html

https://activedoc.opensuse.org/book/...lists-in-linux

I found this statement:

Quote:

All permissions defined in the owner and owning group entries are always effective.

Here is that same statement with the surrounding text for context:

Quote:

The mask entry further limits the permissions granted by named user, named group, and owning group entries by defining which of the permissions in those entries are effective and which are masked. If permissions exist in one of the mentioned entries as well as in the mask, they are effective. Permissions contained only in the mask or only in the actual entry are not effective—meaning the permissions are not granted. All permissions defined in the owner and owning group entries are always effective.

However I've found two other sources which seem to say otherwise. One is the man page for getfacl and the other is "UNIX and Linux System Administration Handbook, 4th Edition".

Man page reference:

http://linux.die.net/man/1/getfacl

Relevant text:

Quote:

Lines 5, 7 and 10 correspond to the user, group and other fields of the file mode permission bits. These three are called the base ACL entries. Lines 6 and 8 are named user and named group entries. Line 9 is the effective rights mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others permissions are not affected by the effective rights mask; all other entries are.)

The "to all groups" and "all other entries" implies that the owner group (or "default/primary" group) IS affected, which is in contrast to what the openSUSE documentation says.

UNIX and Linux System Administration Handbook, 4th Edition has this to say:

Quote:

The mask limits the access that the ACL can confer upon all named users, all named groups, and the default group.

That seems to directly confirm what the man page says, i.e., [em]the traditional UNIX group (primary, default) IS affected by the ACL Mask.[/em]

Can anyone confirm which is the case?

Thanks!

sag47 · 03-09-2015, 12:36 AM

Unix, Irix, Linux, BSD, etc. are their own systems. Even in Linux, different distros can handle ACLs differently simply because they have different versions of the same software installed across them. A good rule of thumb for learning any topic in this space is to use the Internet sources to augment your understanding but use the manual pages of your working system as the source of truth for behavior and usage. This applies to anything you learn in the *nix family of operating systems. I realize I didn't answer your question directly but hopefully you can use that advice to find the answer you need.

rpittala · 04-13-2017, 12:58 PM

Hi Folks,

I need an understanding here, when I set the ACL permissions to certain files on Unix/Linux and transfer these files to Windows, will these file permissions remains same ? to make these file permissions consistent, what is that required to capture and modify ? W.R.T ACL security ?

astrogeek · 04-14-2017, 01:29 AM

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is a duplicate, further discussion of this issue should continue here.