X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:content-type :content-transfer-encoding:date:from:to:subject:message-id; q= dns; s=default; b=XFI+0DV8w55dAzD8Y4MAKk7fsz7v4juQlSXPasBOLalwno HHUOEbGGSjFMDlScq+sSYZzHdfVbe28ppKFJEjSRQMZ4u5s3TF7a7nD45JZuCXaV eJ0THULQ0jdvwTXJMqYU1JDJhiClxfde0Ynp4FVP3wFeucOowahQAyr73DWyo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:content-type :content-transfer-encoding:date:from:to:subject:message-id; s= default; bh=GMLOKtyvlFnu8PQkTNQDp+vvYuM=; b=HHT5PHq4BacfFpYaGaXS dM2RLFIHxm/TEjWxQPLJFfUjaFHfc/UEEcoCtT9XkWt8JesKoTaepm55lAbzxZ4N WGywSRoBnezGzOXZHZcE/przTWkCrIeWUsKslMvHVX/+df8Jjd30WeYJ8GS1rJnl cEf/SwWhtesZgQBJFQeOgY0= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_50,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=513, authenticated, Valid, 545 X-HELO: lb1-smtp-cloud2.xs4all.net MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 20 Dec 2015 18:52:57 +0100 From: Houder To: cygwin AT cygwin DOT com Subject: setfacl(2.4.0.14): recalculation of the ACL mask entry Message-ID: <4e359179a04344745b43991e66398a6e@xs4all.nl> X-Sender: houder AT xs4all DOT nl (zCwsf9Gz2h/qaQ7xIA+2lA==) User-Agent: XS4ALL Webmail X-IsSubscribed: yes Hi Corinna, According to acl(5), the mask entry (as reported by getacl) is "optional" if the acl contains no 'u:uid:perm' and/or 'g:gid:perm' entries (ace's) ... Ahem. VALID ACLs (from acl(5) ) A valid ACL contains exactly one entry with each of the ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER tag types. Entries with ACL_USER and ACL_GROUP tag types may appear zero or more times in an ACL. An ACL that contains entries of ACL_USER or ACL_GROUP tag types must contain exactly one entry of the ACL_MASK tag type. If an ACL contains no entries of ACL_USER or ACL_GROUP tag types, the ACL_MASK entry is optional. However, setfacl(1) and your setfacl also note, that the default behaviour of setfacl is to recalculate the mask entry ... %% setfacl -h Usage: setfacl [-n] {-f ACL_FILE | -s acl_entries} FILE... setfacl [-n] {[-bk]|[-x acl_entries] [-m acl_entries]} FILE... [snip] -n, --no-mask Valid in conjunction with -m. Do not recalculate the effective rights mask. The default behavior of setfacl is to recalculate the ACL mask entry, unless a mask entry was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group entries. (These are exactly the entries affected by the mask entry). [snip] I decided to experiment ... See below. (the mask entry is not recalculated, it appears). Regards, Henri ----- %% uname -a CYGWIN_NT-6.1-WOW Seven 2.4.0(0.292/5/3) 2015-12-20 13:18 i686 Cygwin %% id uid=1000(Henri) gid=513(None) groups=513(None),1007(HelpLibraryUpdaters),559(Performance Log Users),545(Users),11(Authenticated Users) %% touch foo.txt %% getfacl foo.txt # file: foo.txt # owner: Henri # group: None user::rw- group::r-- other:r-- %% setfacl -m g:Replicator:rw- foo.txt %% getfacl foo.txt # file: foo.txt # owner: Henri # group: None user::rw- group::r-- group:Replicator:rw- mask:rw- other:r-- %% setfacl -x g:Replicator: foo.txt # and remove it again %% getfacl foo.txt # file: foo.txt # owner: Henri # group: None user::rw- group::r-- mask:rw- <==== mask is now optional according to acl(5), but ... other:r-- %% ls -l foo.txt -rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt <==== OK, but ... %% Ok, the permissions correspond with the mask (see acl(5) ), but according to setfacl(1), the mask should have been recalculated ... According to acl(5): ACL ENTRIES ACL_MASK The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP. Recalculation by me in this case, yields: mask:r-- (perhaps, as suggested by Sam, I should retire ... it is all getting beyond simple is it not?) ### switch from user Henri to user Test (can another user with the same gid, modify the file?) %% pwd /home/Test %% cd ../Henri %% id uid=1006(Test) gid=513(None) groups=513(None),545(Users),11(Authenticated Users) %% ls -l foo.txt -rw-rw-r-- 1 Henri None 0 Dec 20 17:59 foo.txt %% echo Corinna > foo.txt bash: foo.txt: Permission denied <==== OK, but the permissions as shown, are misleading, are they not? %% ===== -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple