1

I'm attempting to execute the ls command on a directory which has acl permissions for the owner and group of the directory (with no standard posix permissions set). This results in a Permission Denied even though getfacl says the user should be able to do so.

Here's what I'm doing:

  1. Create a directory and a file inside it.

mkdir /tmp/mydir && touch /tmp/mydir/myfile

  1. Check if I can execute ls on this directory.
jgazula@gazula:/tmp$ ls -al /tmp/mydir/ total 896 drwxrwxr-x 2 jgazula jgazula 4096 Nov 1 11:57 . drwxrwxrwt 25 root root 909312 Nov 1 11:57 .. -rw-rw-r-- 1 jgazula jgazula 0 Nov 1 11:57 myfile
  1. Now, let's remove all the standard posix permissions on this directory.

chmod 000 /tmp/mydir

  1. Verify the permissions.
jgazula@gazula:/tmp$ ls -al /tmp | grep mydir d--------- 2 jgazula jgazula 4096 Nov 1 11:57 mydir
  1. We shouldn't be able to ls now.
jgazula@gazula:/tmp$ ls -al /tmp/mydir/ ls: cannot open directory '/tmp/mydir/': Permission denied
  1. Set the acl permissions for the jgazula user and group.

sudo setfacl --mask -Rm u:jgazula:rwx,g:jgazula:rwx /tmp/mydir/

  1. Verify the acl permissions.
jgazula@gazula:/tmp$ getfacl -ep /tmp/mydir/ # file: /tmp/mydir/ # owner: jgazula # group: jgazula user::--- user:jgazula:rwx #effective:rwx group::--- #effective:--- group:jgazula:rwx #effective:rwx mask::rwx other::---
  1. Since the acl permissions (including the effective permissions) look good, I should be able to execute ls on the directory?
jgazula@gazula:/tmp$ ls -al /tmp/mydir/ ls: cannot open directory '/tmp/mydir/': Permission denied

But I can't and I don't understand why.

  1. Interestingly enough, when I check the standard posix permissions, the group permission bits have been set? Not sure I understand why only group permissions have been updated.
jgazula@gazula:/tmp$ ls -al /tmp | grep mydir d---rwx---+ 2 jgazula jgazula 4096 Nov 1 12:13 mydir
  1. Let's set the acl permissions for the owner and group (i.e, omit the owner/group from the command).

sudo setfacl --mask -Rm u::rwx,g::rwx /tmp/mydir/

  1. Verify the acl permissions again.
jgazula@gazula:/tmp$ getfacl -ep /tmp/mydir/ # file: /tmp/mydir/ # owner: jgazula # group: jgazula user::rwx user:jgazula:rwx #effective:rwx group::rwx #effective:rwx group:jgazula:rwx #effective:rwx mask::rwx other::---
  1. Check if I can execute ls now.
jgazula@gazula:/tmp$ ls -al /tmp/mydir/ total 896 drwxrwx---+ 2 jgazula jgazula 4096 Nov 1 11:57 . drwxrwxrwt 25 root root 909312 Nov 1 11:57 .. -rwxrwxr--+ 1 jgazula jgazula 0 Nov 1 11:57 myfile

Why does step #6 not work by itself? I'm setting the acl permissions explicitly for a user and group. Why do I need to execute step #11?

Improve this question

1 Answer 1

Reset to default
2

When you run sudo setfacl --mask -Rm u:jgazula:rwx,g:jgazula:rwx /tmp/mydir/, you are creating an ACL_USER entry for user jgazula. But the ACL_USER_OBJ for the owner of the file is still ---. (You can see this in the getfacl output in step 7.)

According to man ACL, the access check algorithm goes:

1. If the effective user ID of the process matches the user ID of the file object owner, then if the ACL_USER_OBJ entry contains the requested permissions, access is granted, else access is denied. 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted, else access is denied.

So the ACL_USER entry is never even checked.

There is essentially the same question on serverfault: ACL: giving - - - permissions for the owner of the file. (But it looks like the answer there got ACL_USER vs ACL_USER_OBJ reversed.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.