<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - systemd-tmpfiles adds ACLs multiple times"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=89202">89202</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>systemd-tmpfiles adds ACLs multiple times
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>martin.pitt@ubuntu.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Version 219 gained support for ACLs in tmpfiles.d. But this isn't idempotent,
it appends identical ACLs with each run. This isn't that important for /run/,
but problematic for persistant directories like /var/log/journal.

If you run 

  sudo ./systemd-tmpfiles --create `pwd`/tmpfiles.d/systemd.conf

in the built tree (which is probably the most convenient reproducer for
developers) 3 times, you get

$ getfacl /run/log/journal/5aa2ce6f17f156f9099864b6546dc1b0/
# file: run/log/journal/5aa2ce6f17f156f9099864b6546dc1b0/
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
group:adm:r-x
group:adm:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:adm:r-x
default:group:adm:r-x
default:group:adm:r-x
default:mask::r-x
default:other::---

I. e. the "adm" ACLs are repeated three times (notice that I left out the
"wheel" ones as that group doesn't exist in Debian).

These duplicate entries not only pile up on persistant directories like /var
over time, they also break the setfacl command line tool, which doesn't like
them:

$ sudo setfacl -R -nm g:adm:rx,d:g:adm:rx
/run/log/journal/5aa2ce6f17f156f9099864b6546dc1b0
setfacl: /run/log/journal/5aa2ce6f17f156f9099864b6546dc1b0: Malformed access
ACL
`user::rwx,group::r-x,group:adm:r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---':
Duplicate entries at entry 4
setfacl: /run/log/journal/5aa2ce6f17f156f9099864b6546dc1b0/system.journal:
Malformed access ACL
`user::rwx,group::r--,group:adm:r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---':
Duplicate entries at entry 4</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>