[systemd-devel] [PATCH] journald: DO recalculate the ACL mask, but only if it doesn't exist
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Wed May 29 21:46:52 PDT 2013
On Thu, May 30, 2013 at 03:22:36AM +0200, Jan Alexander Steffens wrote:
> On Wed, May 29, 2013 at 3:14 PM, Colin Walters <walters at verbum.org> wrote:
> > I fully realize you did not introduce the current naming scheme in
> > acl-util.c, but more stomping on the "acl_" namespace that currently
> > lives in libacl.so seems like a bad idea - they'd be fully within their
> > rights to introduce a symbol acl_calc_mask_if_needed() which we'd
> > transparently shadow.
>
> Well, another patch can change those two functions then, if needed.
I changed the name of the newly added function. Other ones can indeed
be changed separately.
> > Anyways, on to the actual content of the patch...I've sat down with
> > "man 5 acl", and it seems possible to me you're still reintroducing the
> > bug Lennart was trying to fix. From his commit message, I think it's
> > that /var/log had an ACL with group-executable in the default ACL, we'll
> > end up recalculating the mask still, and that would include the group
> > execute.
>
> I've actually tested this. A "setfacl -d -m g:adm:r-- machine-dir"
> gave it the following ACL:
> # file: <machine-id>
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
> default:user::rwx
> default:group::r-x
> default:group:adm:r--
> default:mask::r-x
> default:other::r-x
Seems to be correct to me, applied.
Zbyszek
More information about the systemd-devel
mailing list