[Bug 1081502] Re: posix acl permissions evaluated wrongly with null mask
Joseph Salisbury
joseph.salisbury at canonical.com
Wed Nov 21 16:36:46 UTC 2012
Would it be possible for you to test the latest upstream kernel? Refer
to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest
v3.7 kernel[0] (Not a kernel in the daily directory) and install both
the linux-image and linux-image-extra .deb packages.
If this bug is fixed in the mainline kernel, please add the following
tag 'kernel-fixed-upstream'.
If the mainline kernel does not fix this bug, please add the tag:
'kernel-bug-exists-upstream'.
If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".
Thanks in advance.
[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.7-rc6-raring/
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acl in Ubuntu.
https://bugs.launchpad.net/bugs/1081502
Title:
posix acl permissions evaluated wrongly with null mask
Status in “acl” package in Ubuntu:
Confirmed
Status in “linux” package in Ubuntu:
Incomplete
Status in “linux” package in Debian:
New
Bug description:
Hi!
According to my experience the Linux Kernel Access Control evaluate
wrongly the POSIX ACL-s when a mask is null (mask::---)
Let's see an example:
root at bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::---
^^^^^
other::r--
As we can see the foo user hasn't got any rights on the test file and a mask is zero.
Let's try to read the file as the foo user:
foo at bar:~$ cat /tmp/test
FOOBAR
foo at bar:~$
Success.
According to the documentation (man acl) user foo cannot access the file:
" 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
else access is denied."
If I change the the mask entry to something else:
root at bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::-w-
^^^^^^
other::r--
the foo user cannot read the file:
foo at bar:~$ cat /tmp/test
cat: /tmp/test: Permission denied
I tested with ext4 and tmpfs with the same result. I also tested on a
Solaris 9 machine where the permissions work as expected.
System info:
Description: Ubuntu 12.04.1 LTS
Release: 12.04
acl:
Installed: 2.2.51-5ubuntu1
Candidate: 2.2.51-5ubuntu1
Version table:
*** 2.2.51-5ubuntu1 0
500 http://hu.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
100 /var/lib/dpkg/status
Linux bar 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC
2012 i686 i686 i386 GNU/Linux
Thank you for your time and I hope you can find the source of this issue.
---
ApportVersion: 2.0.1-0ubuntu13
Architecture: i386
DistroRelease: Ubuntu 12.04
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
Package: linux
PackageArchitecture: i386
ProcVersionSignature: Ubuntu 3.2.0-29.46-generic-pae 3.2.24
Tags: precise
Uname: Linux 3.2.0-29-generic-pae i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/acl/+bug/1081502/+subscriptions
More information about the foundations-bugs
mailing list