Extended permissions on ext3

Jon Vincent archiveacl at gmail.com
Thu May 15 16:11:45 UTC 2008 

Hello,

I am seeing some strange behavior with extended permissions on ext3. I am
writing a file as root and setting a user ACE. I then change to that user
and try to access the file based on the ACL that I have set.

In the example below, I am setting a user ACE to have no permissions to
access the file (---). However, I find that when I access the file as that
user, I am able to read it. I find this strange because according to the man
page, as soon as it matches the user ACE entry, it should allow or deny
access.

If I set an identical ACL except I add the "wx" permission bits to the user
ACE (-wx), I am rejected (which is what I expect). I am just wondering why I
can read the file when I have no permissions (---) set on the user ACE (I
expected to be rejected). Examples are below:

Example with no permissions for the user ACE:
-------------------------------------------------------------------------
[root at jvincent-D800 ~]# cd /tmp
[root at jvincent-D800 tmp]# echo "hello world" > file.txt
[root at jvincent-D800 tmp]# setfacl -m
u::rwx,g::rwx,o::rwx,u:postgres:---,m:--- file.txt
[root at jvincent-D800 tmp]# getfacl file.txt
# file: file.txt
# owner: root
# group: root
user::rwx
user:postgres:---
group::rwx                      #effective:---
mask::---
other::rwx

[root at jvincent-D800 tmp]# ls -l file.txt
-rwx---rwx+ 1 root root 12 May  7 11:33 file.txt

[root at jvincent-D800 tmp]# su - postgres
[postgres at jvincent-D800 ~]$ id
uid=501(postgres) gid=501(postgres) groups=501(postgres)
[postgres at jvincent-D800 ~]$ whoami
postgres
[postgres at jvincent-D800 ~]$ cat /tmp/file.txt
hello world
[postgres at jvincent-D800 ~]$


Example with -wx permissions for the user ACE:
-------------------------------------------------------------------------
[root at jvincent-D800 tmp]# cd /tmp
[root at jvincent-D800 tmp]# echo "hello world" > file.txt
[root at jvincent-D800 tmp]# setfacl -m
u::rwx,g::rwx,o::rwx,u:postgres:-wx,m:rwx file.txt
[root at jvincent-D800 tmp]# getfacl file.txt
# file: file.txt
# owner: root
# group: root
user::rwx
user:postgres:-wx
group::rwx
mask::rwx
other::rwx

[root at jvincent-D800 tmp]# ls -l file.txt
-rwxrwxr--+ 1 root root 12 May  7 13:47 file.txt
[root at jvincent-D800 tmp]# su - postgres
[postgres at jvincent-D800 ~]$ id
uid=501(postgres) gid=501(postgres) groups=501(postgres)
[postgres at jvincent-D800 ~]$ whoami
postgres
[postgres at jvincent-D800 ~]$ cat /tmp/file.txt
cat: /tmp/file.txt: Permission denied
[postgres at jvincent-D800 ~]$


Thanks!

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ext3-users/attachments/20080515/692d83ee/attachment.htm>

More information about the Ext3-users mailing list