Failed to create secure directory with ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2014-04-07 14:11 GMT+02:00 Prunk Dump <prunkdump at gmail.com>:
>>> $mkdir /home/teachers/pellegrb/.pulse
>>> $chown 3000137:3000038 /home/teachers/pellegrb/.pulse
>>> $chmod 0700 /home/teachers/pellegrb/.pulse
>>> $ls -al /home/teachers/pellegrb
>>>
>>> drwxrwx---+  2 pellegrb teachers     0 avril  7 14:02 .pulse

2014-04-17 13:15 GMT+02:00 Tanu Kaskinen <tanu.kaskinen at linux.intel.com>:
>> So the file system ignores the mode that is given to mkdir and chmod. Is
>> the result same if you pass --mode=0700 to mkdir?

2014-04-17 14:09 GMT+02:00 Alexander E. Patrakov <patrakov at gmail.com>:
> Well, the problem here is that the CIFS server gives extra unwanted access
> rights to the directory. So PulseAudio rightfully complains. However, in
> some cases (e.g. on CIFS and other non-native filesystems), this error is
> not actionable.

Yes, same result with mkdir --mode=0700. But I think there are not
unwanted access rights. When Acls are enabled the standard POSIX bits
have not the same sense. So you can't use ls -l or lstat() to get
file's access rights. The "+" on ls -l show that "getfacl" need to be
used.

>>> $ls -al /home/teachers/pellegrb
>>>
>>> drwxrwx---+  2 pellegrb teachers     0 avril  7 14:02 .pulse

As I understand every seems ok in the ACL sense. When I create the
directory the default permissions are inherited :

$mkdir /home/teachers/pellegrb/.pulse
$ls -al /home/teachers/pellegrb

drwxrwx---+  2 pellegrb teachers     0 avril  7 14:02 .pulse

$getfacl /home/teachers/pellegrb/.pulse
# file: home/teachers/pellegrb/.pulse
# owner: pellegrb
# group: teachers
user::rwx
user:3000038:r-x
group::r-x
group:teachers:r-x
group:3000137:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:pellegrb:rwx
default:group::r-x
default:group:teachers:r-x
default:mask::rwx
default:other::r-x

And when I chown the file (useless) and chmod it, the "group" and
"other" right access are changed :

$chown 3000137:3000038 /home/teachers/pellegrb/.pulse
$chmod 0700 /home/teachers/pellegrb/.pulse
$getfacl /home/teachers/pellegrb/.pulse
# file: home/teachers/pellegrb/.pulse
# owner: pellegrb
# group: teachers
user::rwx
user:3000038:r-x
group::---
group:teachers:r-x
group:3000137:rwx
mask::rwx
other::---
default:user::rwx
default:user:pellegrb:rwx
default:group::r-x
default:group:teachers:r-x
default:mask::rwx
default:other::r-x

This behavior is the same with EXT4 ACLs, it seems not a CIFS problem.
But PulseAudio doen't check ACLs on home folders.

2014-04-17 14:09 GMT+02:00 Alexander E. Patrakov <patrakov at gmail.com>:
> Instead, I suggest to ignore fchown() failures that are not even supposed to
> be actionable and are not security-relevant, with a warning. IMHO a good
> heuristic to decide whether to propagate fchown() failures would be uid !=
> -1, or, equivalently, a test for system mode.

Excuse me Alexander, I'am french and I don't understand your
suggestion. Your suggestion is for me or for a code source
modification ? I don't understand what is a "actionable error" and how
can I ignore the fchown() failures.

In my case pulse audio won't start ! It is not only a warning. But in
reality the .pulse folder is secured, no other user can access its
contents.

Thanks very much for the help !

Baptiste.


[Index of Archives]     [Linux Audio Users]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux