[systemd-devel] [PATCH] journald: DO recalculate the ACL mask, but only if it doesn't exist

Jan Alexander Steffens jan.steffens at gmail.com
Wed May 29 18:22:36 PDT 2013


On Wed, May 29, 2013 at 3:14 PM, Colin Walters <walters at verbum.org> wrote:
> I fully realize you did not introduce the current naming scheme in
> acl-util.c, but more stomping on the "acl_" namespace that currently
> lives in libacl.so seems like a bad idea - they'd be fully within their
> rights to introduce a symbol acl_calc_mask_if_needed() which we'd
> transparently shadow.

Well, another patch can change those two functions then, if needed.

> Anyways, on to the actual content of the patch...I've sat down with
> "man 5 acl", and it seems possible to me you're still reintroducing the
> bug Lennart was trying to fix.  From his commit message, I think it's
> that /var/log had an ACL with group-executable in the default ACL, we'll
> end up recalculating the mask still, and that would include the group
> execute.

I've actually tested this. A "setfacl -d -m g:adm:r-- machine-dir"
gave it the following ACL:
# file: <machine-id>
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:adm:r--
default:mask::r-x
default:other::r-x

User journals ended up with the following ACL:
# file: user-1000.journal
# owner: root
# group: systemd-journal
user::rw-
user:jan:r--
group::r-x                      #effective:r--
group:adm:r--
mask::r--
other::---

So the fchmod (0640) stays intact: user::rw- (6), mask::r-- (4), other::--- (0).
The executable bit in the "group" entry added by the directory default
ACL is masked.


More information about the systemd-devel mailing list