[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#8527: cp/mv in coreutils don't respect the default ACL of parent
From: |
f0rhum |
Subject: |
bug#8527: cp/mv in coreutils don't respect the default ACL of parent |
Date: |
Tue, 7 Oct 2014 22:05:10 +0200 (CEST) |
Thank you Linda for extensive answer.
Just an additional info before I reply your questions: for my own tests I
didn't use /tmp as target because the sticky bit could do something special
(not sure). Instead I used /srv/test that I chown me:writers , set chmod -R
u:rwX,g:srwX then setfacl --set as needed all this as root. The goal being
having a group writers rwX, another group readers with rX on the tree and
o:---, and ignore source perms if any.
> What file system and core utils are you using?
My target file system is ext4 (default mount options include acl and user_xattr
, coreutils is 8.21 & kernel is 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3
21:30:07 UTC 2014 x86_64 GNU/Linux with embedded acl support out of the box).
> Are you using a file system that has alternate user-data forks
> or extended attributes that have them included by default?
> Or are you using a file system where they were added on as a super-user
> control'd option? Have you tried copying them as root?
I know this:
from local, umask=0002
from ssh, umask=0022
no cp aliases, I just need/use the default, i.e. do-not-preserve-perms
All my tests below are run locally. So I wrote a script that echoes each line:
sudo ~/acl.sh
0 mkdir -pv /srv/test
0 setfacl -bk /srv/test
0 rm -rf /srv/test/*
ownership of /srv/test was kept as me:writers
0 chown -Rv me:writers /srv/test
mode of /srv/test/ was changed from 2770 (rwxrws---) to 0000 (---------)
0 (removed all bits)
mode of /srv/test/ was changed from 0000 (---------) to 2770 (rwxrws---)
0 chmod -Rv u+rwX,g+srwX /srv/test
0 setfacl -R --set
d:u::rwx,d:g::rwx,d:g:writers:rwx,d:u:reader:rx,d:g:reader:rx,d:o::---,d:m::rwx
/srv/test
getfacl: remove first "/" out of absolute path names
# file: srv/test
USER me rwx rwx
user reader r-x
GROUP writers rwx rwx
group reader r-x
group writers rwx
mask rwx
other --- ---
0 setfacl -R --set
u::rwX,g::rwX,u:reader:rX,g:writers:rwX,g:reader:rx,o::---,m::rwX /srv/test
getfacl: remove first "/" out of absolute path names
# file: srv/test
USER me rwx rwx
user reader r-x r-x
GROUP writers rwx rwx
group reader r-x r-x
group writers rwx rwx
mask rwx rwx
other --- ---
****So at the moment this last command shows all is alright****
**** Now, let's copy ****
address@hidden:/srv$ cp -r /media/me/USPEED/200402/ /srv/test
address@hidden:/srv$ getfacl -t /srv/test/200402/
getfacl: remove first "/" out of absolute path names
# file: srv/test/200402/
USER me rwx rwx
user reader R-X r-x
GROUP writers RWX rwx
group reader R-X r-x
group writers RWX rwx
mask --- rwx
other --- ---
***problems begin: defaults ACL are kept OK (right perm column, ***
***but Access ACL are lost (capitalized in left column by -t are the denied
perms because mask is lost, do not confuse with cap X in chmod)***
***only file owner can traverse, nobody else can)***
address@hidden:/srv$ getfacl -t /srv/test/200402/P2220368.JPG
getfacl: remove first "/" out of absolute path names
# file: srv/test/200402/P2220368.JPG
USER me rw-
user reader r-X
GROUP writers rWX
group reader r-X
group writers rWX
mask r--
other ---
*** Here one see writers lost the write perm, and reader could read if only he
could traverse above***
Do the same by creation:
address@hidden:/srv$ mkdir test/handdir
address@hidden:/srv$ touch test/handdir/file
address@hidden:/srv$ getfacl -Rt test/handdir/
# file: test/handdir/
USER me rwx rwx
user reader r-x r-x
GROUP writers rwx rwx
group reader r-x r-x
group writers rwx rwx
mask rwx rwx
other --- ---
# file: test/handdir//file
USER me rw-
user reader r-X
GROUP writers rwX
group reader r-X
group writers rwX
mask rw-
other ---
***all is OK this way***
> The reason I ask, is that I just tried it and it appears to work:
> 1) First the dir:
> > cd /tmp
> > llg -d /tmp
> drwxrwxrwt 25 root root 8192 Oct 7 02:21 /tmp/
> > lsacl /tmp
> [u::rwx,g::rwx,o::rwx] /tmp #default ACL from mode bits
>
> 2) Create file with 'touch'
> > touch x # new file
> Ishtar:/tmp> llg x
> -rw-rw-r-- 1 law lawgroup 0 Oct 7 02:26 x
> > lsacl
> [u::rw-,g::rw-,o::r--] x #default ACL
> ----
> 3) now I'll copy in a *directory* that has both types of ACL's on it, but
> not specifying that any permissions be copied:
>
> > ll -d /Media/Library/_artwork/test #source
> drwxrwsr-x+ 2 10 Oct 7 02:33 /Media/Library/_artwork/test/
> Ishtar:/tmp> lsacl /Media/Library/_artwork/test
> [u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,m::rwx,
> o::r-x/u::rwx,u:Media:rwx,
> g::rwx, g:Media:rwx,m::rwx,o::r-x]
> /Media/Library/_artwork/test
> (note, 2nd acl is default dir (lsacl uses "chacl -l")
> Ishtar:/tmp> 'cp' -r /Media/Library/_artwork/test . #recursive to tmp
> Ishtar:/tmp> llg -d test
> drwxrwxr-x 2 law lawgroup 6 Oct 7 02:34 test/
> Ishtar:/tmp> lsacl test #no attr indicated
> [u::rwx,g::rwx,o::r-x] test #default ACL shown
> ----
> So far all seems fine.
>
> 4) Now lets copy the perms too:
> Ishtar:/tmp> rd test
> Ishtar:/tmp> 'cp' -a /Media/Library/_artwork/test .
> Ishtar:/tmp> llg -d test
> drwxrwsr-x+ 2 law Media 6 Oct 7 02:33 test/
> Ishtar:/tmp> lsacl test #same ACL as source
> [u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,
> m::rwx,o::r-x/u::rwx,u:Media:rwx,g::rwx,
> g:Media:rwx,m::rwx,o::r-x]
> test
> 5) create file in that dir:
> Ishtar:/tmp> cd test
> Ishtar:/tmp/test> touch touched_file
> Ishtar:/tmp/test> llg touched_file
> -rw-rw-r--+ 1 law Media 0 Oct 7 02:42 touched_file
> Ishtar:/tmp/test> lsacl touched_file
> [u::rw-,u:Media:rwx,g::rwx,g:Media:rwx,m::rw-,o::r--] touched_file
> ---
> File has expected inherited ACL.
> 6) Now ... lets use cp to copy a file w/o acls in:
> (first create normal file under /tmp):
>
> > echo "perm test">/tmp/perm.txt
> Ishtar:/tmp/test> llg /tmp/perm.txt
> -rw-rw-r-- 1 law lawgroup 10 Oct 7 02:59 /tmp/perm.txt
> Ishtar:/tmp/test> lsacl /tmp/perm.txt
> [u::rw-,g::rw-,o::r--] /tmp/perm.txt
> > 'cp' /tmp/perm.txt .
> Ishtar:/tmp/test> llg perm.txt
> -rw-rw-r--+ 1 law Media 10 Oct 7 03:01 perm.txt
> Ishtar:/tmp/test> lsacl perm.txt
> [u::rw-,u:Media:rwx,g::rwx,g:Media:rwx,m::rw-,o::r--] perm.txt
>
> ----
> 8) Looks the same to me...However, check this out:
>
> Ishtar:/tmp/test> rm perm.txt
> Ishtar:/tmp/test> cp /tmp/perm.txt .
> Ishtar:/tmp/test> llg /tmp/perm.txt
> -rw-rw-r-- 1 law lawgroup 10 Oct 7 02:59 /tmp/perm.txt
> Ishtar:/tmp/test> lsacl perm.txt
>
> No acl this time, but same copy...or was it?
>
> Note I was careful to use 'cp' most of the time when copying except
> this last time, cuz:
> alias cp
> alias cp='cp --preserve=mode,timestamps'
>
> my normal cp is an alias -- that says to preserve the mode.
> It wouldn't be able to do that if it allowed the default ACL
> to be set on the file.
> --------------
> So, I don't know if this is related to your problem, but
> cp appears to be working correctly here
> filesystem = xfs (acls are always on as they came with the filesystem).
> kernel=
>
> Linux Ishtar 3.16.2-Isht-Van #1 SMP PREEMPT Tue Sep 9 18:26:43 PDT 2014
> x86_64 x86_64 x86_64 GNU/Linux