Skipping full file ACL checks without no Group permissions causes we can't deny access from specific users or groups which we ban according ACL_USER, ACL_GROUP and ACL_MASK rules, because they may pass due to Other permissions. Example: date > test_file setfacl -m u:1000:rwx,g:2000:rwx,u::rwx,g::rwx,o::rwx,m::0 test_file capsh --groups=1000 --gid=1000 --uid=1000 -- -c "cat test_file" capsh --groups=2000 --gid=2000 --uid=2000 -- -c "cat test_file" Signed-off-by: Wang Boshi <wangboshi@xxxxxxxxxx> --- fs/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 578c2110df02..d5772a31b5fc 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -347,7 +347,7 @@ static int acl_permission_check(struct user_namespace *mnt_userns, } /* Do we have ACL's? */ - if (IS_POSIXACL(inode) && (mode & S_IRWXG)) { + if (IS_POSIXACL(inode)) { int error = check_acl(mnt_userns, inode, mask); if (error != -EAGAIN) return error; -- 2.29.2