Package: acl Version: 2.2.49-4 Severity: normal
I've noticed that the set-gid bit will not be included (when it should be) for newly created sub-directories under the following set of circumstances: 1. The user creating the sub-directory is not part of the group that owns the parent directory. 2. There is a default FACL set on the parent directory. Example: === Step 1: Create a directory, set the set-gid bit, assign it a default FACL === [neal@lego ~/test]$ ls -al total 232 drwxrwxr-x 2 neal neal 8192 Nov 29 15:41 ./ drwxr-xr-x 73 neal neal 229376 Nov 29 15:38 ../ [neal@lego ~/test]$ mkdir test-facl [neal@lego ~/test]$ ls -al total 240 drwxrwxr-x 3 neal neal 8192 Nov 29 15:41 ./ drwxr-xr-x 73 neal neal 229376 Nov 29 15:38 ../ drwxrwx--- 2 neal neal 8192 Nov 29 15:41 test-facl/ [neal@lego ~/test]$ chgrp cs127ta test-facl/ [neal@lego ~/test]$ chmod g+s test-facl/ [neal@lego ~/test]$ ls -al total 240 drwxrwxr-x 3 neal neal 8192 Nov 29 15:41 ./ drwxr-xr-x 73 neal neal 229376 Nov 29 15:38 ../ drwxrws--- 2 neal cs127ta 8192 Nov 29 15:41 test-facl/ [neal@lego ~/test]$ setfacl -d -m u:cs127000:rwx test-facl/ [neal@lego ~/test]$ setfacl -m u:cs127000:rwx test-facl/ [neal@lego ~/test]$ getfacl test-facl/ # file: test-facl/ # owner: neal # group: cs127ta # flags: -s- user::rwx user:cs127000:rwx group::rwx mask::rwx other::--- default:user::rwx default:user:cs127000:rwx default:group::rwx default:mask::rwx default:other::--- === Step 2: Verify that directory creation works as expected. === [neal@lego ~/test/test-facl]$ mkdir test [neal@lego ~/test/test-facl]$ ls -al total 24 drwxrws---+ 3 neal cs127ta 8192 Nov 29 16:05 ./ drwxrwxr-x 3 neal neal 8192 Nov 29 15:41 ../ drwxrws---+ 2 neal cs127ta 8192 Nov 29 16:05 test/ === Step 3: Using a user not in the group that owns the directory, create a directory and notice the set-gid bit is not set === [cs127000@lego ~/test/test-facl]$ mkdir test2 [cs127000@lego ~/test/test-facl]$ ls -al total 32 drwxrws---+ 4 neal cs127ta 8192 Nov 29 16:06 ./ drwxrwxr-x 3 neal neal 8192 Nov 29 15:41 ../ drwxrws---+ 2 neal cs127ta 8192 Nov 29 16:05 test/ drwxrwx---+ 2 cs127000 cs127ta 8192 Nov 29 16:06 test2 === Step 4: Verify that removing the default ACL fixes the issue === [neal@lego ~/test]$ setfacl -k test-facl/ [neal@lego ~/test]$ getfacl test-facl/ # file: test-facl/ # owner: neal # group: cs127ta # flags: -s- user::rwx user:cs127000:rwx group::rwx mask::rwx other::--- [cs127000@lego ~/test/test-facl]$ $ mkdir test3 [cs127000@lego ~/test/test-facl]$ $ ls -al total 40 drwxrws---+ 5 neal cs127ta 8192 Nov 29 16:06 ./ drwxrwxr-x 3 neal neal 8192 Nov 29 15:41 ../ drwxrws---+ 2 neal cs127ta 8192 Nov 29 16:05 test/ drwxrwx---+ 2 cs127000 cs127ta 8192 Nov 29 16:06 test2/ drwxr-sr-x 2 cs127000 cs127ta 8192 Nov 29 16:06 test3/ -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (750, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages acl depends on: ii libacl1 2.2.49-4 Access control list shared library ii libattr1 1:2.4.44-2 Extended attribute shared library ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib acl recommends no packages. acl suggests no packages. -- debconf-show failed -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
