Re: [PATCH 4/5] t/t1304: set the mask ACL that is checked in check_perms_and_acl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/15/2010 12:37 PM, Matthieu Moy wrote:
> Brandon Casey <casey@xxxxxxxxxxxxxxx> writes:
> 
>>  test_expect_success 'Setup test repo' '
>>  	setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set &&
>> +	setfacl -m m:rwx               $dirs_to_set &&
> 
> The patch sounds right, but I don't understand the commit message. You
> set m:rwx, and check_perms_and_acl expects mask::r--, so it's not
> exactly what check_perms_and_acl checks.

Ah, yeah, it does sound like I'm saying that check_perms_and_acl is
checking for the particular mask that I'm setting.  I really meant
it to read more like: since check_perms_and_acl is checking the
'mask ACL', it should be set appropriately.

> My understanding is that you set the mask here to enforce the validity
> of the ACL, but then you may want to just squash this into [PATCH 2/5].

I think the ACL is valid according to the rules stated in the Linux man
page, but depending on the previously existing mask ACL on the directories,
the other ACL's that were set may or may not have any effect.  I think on
Linux, the setfacl command updates the effective rights mask when other
ACL entries are modified.  I don't think this happens on Solaris.

If I do this:

  $ cd /var/tmp &&
    mkdir test &&
    setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx test &&
    setfacl -m d:u:guest:rwx test &&
    setfacl -m u:guest:rwx test &&
    getfacl test

On Solaris I get:

  # file: test
  # owner: XXX
  # group: XXX
  user::rwx
  user:guest:rwx                #effective:---
  group::---              #effective:---
  mask:---
  other:---
  default:user::rwx
  default:user:guest:rwx
  default:group::---
  default:mask:rwx
  default:other:---

and on Linux I get:

# file: test
# owner: XXX
# group: XXX
user::rwx
user:guest:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:guest:rwx
default:group::---
default:mask::rwx
default:other::---


Notice how the mask entry is different.  On Solaris you get --- and user
'guest' effectively has no permissions, while on Linux it has full rwx.
So for the test we should set the mask explicitly.

-brandon
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]