Bug 149387

Summary: behavior of acl permissions
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Tim Fechtner <timmi>
Component: BasesystemAssignee: E-mail List <bnc-team-screening>
Status: VERIFIED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Tim Fechtner 2006-02-09 07:23:45 UTC 
From the following behavior, I don't no if it is a bug, but it seems a little bit strange. I have a text file with the following acl:

# file: Textdatei
# owner: test
# group: users
user::rwx
group::r-x
group:testgroup:-w-
mask::rwx
other::---

The user "timi", who is member of the groups "users" and "testgroup", is able to open and modify this text file. This is the behaviar I expect following the man page "acl" - when a user is not the owner and not a named user, and he is "member" of at least _one_ group class entry (owning group or named group), then his access rights are the union of all group class entries where he is "member" (eventually reduced by the mask). So "timi" gets read access because he is member of "users", the owning group. And he gets write access because he is member of "testgroup".

Now I do the same with a directory instead of a file.

# file: test
# owner: test
# group: users
user::rwx
group::r-x
group:testgroup:-w-
mask::rwx
other::---

But it isn't possible to create or delete files in this directory:

timi@rechner54:/home/test> cp ./Textdatei /home/test/test/thisdoesntwork
cp: no se puede crear el fichero regular «/home/test/test/thisdoesntwork»: Permiso denegado
timi@rechner54:/home/test>

When I change the persmissions to 

# file: test
# owner: test
# group: users
user::rwx
group::rwx
group:testgroup:---
mask::rwx
other::---

then the operation is possible. But when I add then write permission to group:testgroup (so I give _more_ permissions) then access I otherwise denied.

When I have two named groups, it is possible to distribute w and x to these two groups and than it works independently of the state of owning group.


Is this normal, that directories behave different then files?
Comment 1 Michael Gross 2006-02-09 14:01:20 UTC 
That's indeed a little strange, timi should get write access to the directory because comined group|testgroup he has rwx on that directory - but maby this is intended? In this example, it first works after user has all permission bits and would probably also work if testgroup had all bits.

Andreas: Do we understand something wrong here? Is this intended?
Comment 2 Andreas Gruenbacher 2006-02-09 14:43:03 UTC 
The acl manpage doesn't even mention the word union. With the first acl, user timi has read+execute and write access, so he can open a file for reading, or writing, but not for read + write. ACL entries do not combine.

For creating something in a directory you need write + execute. A single entry must grant both write and execute, or else access will be denied.
Comment 3 Michael Gross 2006-02-09 14:50:39 UTC 
Thanks for the clarification.
Comment 4 Tim Fechtner 2006-02-10 13:53:33 UTC 
Also thanks for the clarification.