2014-04-07 14:11 GMT+02:00 Prunk Dump <prunkdump at gmail.com>: >>> $mkdir /home/teachers/pellegrb/.pulse >>> $chown 3000137:3000038 /home/teachers/pellegrb/.pulse >>> $chmod 0700 /home/teachers/pellegrb/.pulse >>> $ls -al /home/teachers/pellegrb >>> >>> drwxrwx---+ 2 pellegrb teachers 0 avril 7 14:02 .pulse 2014-04-17 13:15 GMT+02:00 Tanu Kaskinen <tanu.kaskinen at linux.intel.com>: >> So the file system ignores the mode that is given to mkdir and chmod. Is >> the result same if you pass --mode=0700 to mkdir? 2014-04-17 14:09 GMT+02:00 Alexander E. Patrakov <patrakov at gmail.com>: > Well, the problem here is that the CIFS server gives extra unwanted access > rights to the directory. So PulseAudio rightfully complains. However, in > some cases (e.g. on CIFS and other non-native filesystems), this error is > not actionable. Yes, same result with mkdir --mode=0700. But I think there are not unwanted access rights. When Acls are enabled the standard POSIX bits have not the same sense. So you can't use ls -l or lstat() to get file's access rights. The "+" on ls -l show that "getfacl" need to be used. >>> $ls -al /home/teachers/pellegrb >>> >>> drwxrwx---+ 2 pellegrb teachers 0 avril 7 14:02 .pulse As I understand every seems ok in the ACL sense. When I create the directory the default permissions are inherited : $mkdir /home/teachers/pellegrb/.pulse $ls -al /home/teachers/pellegrb drwxrwx---+ 2 pellegrb teachers 0 avril 7 14:02 .pulse $getfacl /home/teachers/pellegrb/.pulse # file: home/teachers/pellegrb/.pulse # owner: pellegrb # group: teachers user::rwx user:3000038:r-x group::r-x group:teachers:r-x group:3000137:rwx mask::rwx other::r-x default:user::rwx default:user:pellegrb:rwx default:group::r-x default:group:teachers:r-x default:mask::rwx default:other::r-x And when I chown the file (useless) and chmod it, the "group" and "other" right access are changed : $chown 3000137:3000038 /home/teachers/pellegrb/.pulse $chmod 0700 /home/teachers/pellegrb/.pulse $getfacl /home/teachers/pellegrb/.pulse # file: home/teachers/pellegrb/.pulse # owner: pellegrb # group: teachers user::rwx user:3000038:r-x group::--- group:teachers:r-x group:3000137:rwx mask::rwx other::--- default:user::rwx default:user:pellegrb:rwx default:group::r-x default:group:teachers:r-x default:mask::rwx default:other::r-x This behavior is the same with EXT4 ACLs, it seems not a CIFS problem. But PulseAudio doen't check ACLs on home folders. 2014-04-17 14:09 GMT+02:00 Alexander E. Patrakov <patrakov at gmail.com>: > Instead, I suggest to ignore fchown() failures that are not even supposed to > be actionable and are not security-relevant, with a warning. IMHO a good > heuristic to decide whether to propagate fchown() failures would be uid != > -1, or, equivalently, a test for system mode. Excuse me Alexander, I'am french and I don't understand your suggestion. Your suggestion is for me or for a code source modification ? I don't understand what is a "actionable error" and how can I ignore the fchown() failures. In my case pulse audio won't start ! It is not only a warning. But in reality the .pulse folder is secured, no other user can access its contents. Thanks very much for the help ! Baptiste.
