[Bug 1081502] Re: posix acl permissions evaluated wrongly with null mask

András Korn 1081502 at bugs.launchpad.net
Wed Nov 21 11:27:02 UTC 2012 

** Package changed: linux-kernel (Ubuntu) => linux (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acl in Ubuntu.
https://bugs.launchpad.net/bugs/1081502

Title:
  posix acl permissions evaluated wrongly with null mask

Status in “acl” package in Ubuntu:
  Confirmed
Status in “linux” package in Ubuntu:
  Incomplete
Status in “linux” package in Debian:
  New

Bug description:
  Hi!

  According to my experience the Linux Kernel Access Control evaluate
  wrongly the POSIX ACL-s when a mask is null (mask::---)

  Let's see an example:
  root at bar:~# getfacl /tmp/test 
  getfacl: Removing leading '/' from absolute path names
  # file: tmp/test
  # owner: root
  # group: root
  user::rw-
  user:foo:---
  group::r--                      #effective:---
  mask::---
            ^^^^^
  other::r--

  As we can see the foo user hasn't got any rights on the test file and a mask is zero.
  Let's try to read the file as the foo user:
  foo at bar:~$ cat /tmp/test
  FOOBAR
  foo at bar:~$ 

  Success.

  According to the documentation (man acl) user foo cannot access the file:
  "     2.   else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
                if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
                else access is denied."

  If I change the the mask entry to something else:
  root at bar:~# getfacl /tmp/test 
  getfacl: Removing leading '/' from absolute path names
  # file: tmp/test
  # owner: root
  # group: root
  user::rw-
  user:foo:---
  group::r--                      #effective:---
  mask::-w-
            ^^^^^^
  other::r--

  the foo user cannot read the file:
  foo at bar:~$ cat /tmp/test 
  cat: /tmp/test: Permission denied

  I tested with ext4 and tmpfs with the same result. I also tested on a
  Solaris 9 machine where the permissions work as expected.

  System info:
  Description:    Ubuntu 12.04.1 LTS
  Release:        12.04

  acl:
    Installed: 2.2.51-5ubuntu1
    Candidate: 2.2.51-5ubuntu1
    Version table:
   *** 2.2.51-5ubuntu1 0
          500 http://hu.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
          100 /var/lib/dpkg/status

  Linux bar 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC
  2012 i686 i686 i386 GNU/Linux

  Thank you for your time and I hope you can find the source of this
  issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/acl/+bug/1081502/+subscriptions

More information about the foundations-bugs mailing list