On 07/22/2012 12:50 AM, Luk Claes wrote: > On 07/21/2012 11:56 PM, Eric Blake wrote: >> tag 12020 moreinfo >> thanks >> >> On 07/21/2012 12:41 PM, Luk Claes wrote: >>> Hi >>> >>> Currently when using POSIX acls, this is not visible when listing files >>> with ls. This means that users and system administrators cannot easily >>> see when (non trivial) POSIX acls are in use which obviously can result >>> in wrong expectations when only seeing the rwx kind of acls. >> >> What version of coreutils are you using, and on what distro? > > I'm using Debian, version 8.13 > >>> At a minimum I would like that ls would show that extended system >>> attributes are being used (maybe by showing something different than - >>> for the type of file?). >> >> But ls _does_ already do that. > >> Notice how the 11th character changed from '+' (ACL present) to '.' >> (SELinux label present)? That is, a trailing '+' is already what >> coreutils uses to indicate the presence of ACLs (which generally provide >> additional rights); and a trailing '.' indicates the presence of >> restrictions (SELinux labels typically restrict rights depending on the >> labeling of the calling context). On systems with neither ACLs nor >> SELinux labels, then the 11th character is ' ' (space) to indicate no >> other special permissions. > > Nice, though in that case it does apparently not vanish when I only > remove the non-trivial acl again and keep the mask: > > $ getfacl foo > # file: foo > # owner: luk > # group: luk > user::rw- > user:mongodb:rw- > group::r-- > mask::rw- > other::r-- > > $ ls -l foo > -rw-rw-r--+ 1 luk luk 5 Jul 22 00:37 foo > > $ setfacl -x u:mongodb foo > > $ ls -l foo > -rw-r--r--+ 1 luk luk 5 Jul 22 00:37 foo > > $ getfacl foo > # file: foo > # owner: luk > # group: luk > user::rw- > group::r-- > mask::r-- > other::r-- > > Though I guess it's close enough, only a pitty it's not in the manpage.
But it apparently does not show when capabilites are active, could that be added (or was that added in the meantime in a subsequent version)? $ setcap cap_chown+ep foo $ ls -l foo -rw-r--r-- 1 luk luk 5 Jul 22 00:37 foo $ sudo getcap foo foo = cap_chown+ep Cheers Luk
