[pulseaudio-discuss] Failed to create secure directory with ACL
Prunk Dump
prunkdump at gmail.com
Sun Apr 20 03:04:04 PDT 2014
2014-04-07 14:11 GMT+02:00 Prunk Dump <prunkdump at gmail.com>:
>>> $mkdir /home/teachers/pellegrb/.pulse
>>> $chown 3000137:3000038 /home/teachers/pellegrb/.pulse
>>> $chmod 0700 /home/teachers/pellegrb/.pulse
>>> $ls -al /home/teachers/pellegrb
>>>
>>> drwxrwx---+ 2 pellegrb teachers 0 avril 7 14:02 .pulse
2014-04-17 13:15 GMT+02:00 Tanu Kaskinen <tanu.kaskinen at linux.intel.com>:
>> So the file system ignores the mode that is given to mkdir and chmod. Is
>> the result same if you pass --mode=0700 to mkdir?
2014-04-17 14:09 GMT+02:00 Alexander E. Patrakov <patrakov at gmail.com>:
> Well, the problem here is that the CIFS server gives extra unwanted access
> rights to the directory. So PulseAudio rightfully complains. However, in
> some cases (e.g. on CIFS and other non-native filesystems), this error is
> not actionable.
Yes, same result with mkdir --mode=0700. But I think there are not
unwanted access rights. When Acls are enabled the standard POSIX bits
have not the same sense. So you can't use ls -l or lstat() to get
file's access rights. The "+" on ls -l show that "getfacl" need to be
used.
>>> $ls -al /home/teachers/pellegrb
>>>
>>> drwxrwx---+ 2 pellegrb teachers 0 avril 7 14:02 .pulse
As I understand every seems ok in the ACL sense. When I create the
directory the default permissions are inherited :
$mkdir /home/teachers/pellegrb/.pulse
$ls -al /home/teachers/pellegrb
drwxrwx---+ 2 pellegrb teachers 0 avril 7 14:02 .pulse
$getfacl /home/teachers/pellegrb/.pulse
# file: home/teachers/pellegrb/.pulse
# owner: pellegrb
# group: teachers
user::rwx
user:3000038:r-x
group::r-x
group:teachers:r-x
group:3000137:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:pellegrb:rwx
default:group::r-x
default:group:teachers:r-x
default:mask::rwx
default:other::r-x
And when I chown the file (useless) and chmod it, the "group" and
"other" right access are changed :
$chown 3000137:3000038 /home/teachers/pellegrb/.pulse
$chmod 0700 /home/teachers/pellegrb/.pulse
$getfacl /home/teachers/pellegrb/.pulse
# file: home/teachers/pellegrb/.pulse
# owner: pellegrb
# group: teachers
user::rwx
user:3000038:r-x
group::---
group:teachers:r-x
group:3000137:rwx
mask::rwx
other::---
default:user::rwx
default:user:pellegrb:rwx
default:group::r-x
default:group:teachers:r-x
default:mask::rwx
default:other::r-x
This behavior is the same with EXT4 ACLs, it seems not a CIFS problem.
But PulseAudio doen't check ACLs on home folders.
2014-04-17 14:09 GMT+02:00 Alexander E. Patrakov <patrakov at gmail.com>:
> Instead, I suggest to ignore fchown() failures that are not even supposed to
> be actionable and are not security-relevant, with a warning. IMHO a good
> heuristic to decide whether to propagate fchown() failures would be uid !=
> -1, or, equivalently, a test for system mode.
Excuse me Alexander, I'am french and I don't understand your
suggestion. Your suggestion is for me or for a code source
modification ? I don't understand what is a "actionable error" and how
can I ignore the fchown() failures.
In my case pulse audio won't start ! It is not only a warning. But in
reality the .pulse folder is secured, no other user can access its
contents.
Thanks very much for the help !
Baptiste.
More information about the pulseaudio-discuss
mailing list