bug#8527: cp/mv in coreutils don't respect the default ACL of parent

2014-10-08 Thread f0rhum 
And creations in the copied dir are OK:
Here the ~faulty~ acl for memory:
# file: srv/test/200402/
USER   me   rwx  rwx
user   reader   R-X  r-x
GROUP  writers  RWX  rwx
group  reader   R-X  r-x
group  writers  RWX  rwx
mask---  rwx
other   ---  ---

Then creations
me@pc:/srv$ mkdir test/200402/dir
me@pc:/srv$ touch test/200402/dir/file
   
me@pc:/srv$ getfacl -Rt test/200402/dir
# file: test/200402/dir
USER   me   rwx  rwx
user   reader   r-x  r-x
GROUP  writers  rwx  rwx
group  reader   r-x  r-x
group  writers  rwx  rwx
maskrwx  rwx
other   ---  ---

# file: test/200402/dir/file
USER   me   rw- 
user   reader   r-X 
GROUP  writers  rwX 
group  reader   r-X 
group  writers  rwX 
maskrw- 
other   ---

Are OK regard to the parent's correct Default mask, but only me as the USER 
can do this because other writers lost rwx on parent copy (200402 dir)

bug#8527: cp/mv in coreutils don't respect the default ACL of parent

2014-10-07 Thread Linda A. Walsh 

f0r...@free.fr wrote:
I can confirm. Tests show that the parent folder ACL Default mask is not inherited as the ACL Access mask of the file|dir created by cp|mv. 



What file system and core utils are you using?

Are you using a file system that has alternate user-data forks
or extended attributes that have them included by default? 
Or are you using a file system where they were added on as a super-user 
control'd option?  Have you tried copying them as root?


The reason I ask, is that I just tried it and it appears to work:
1) First the dir:

 cd /tmp
 llg -d /tmp

drwxrwxrwt 25 root root 8192 Oct  7 02:21 /tmp/

 lsacl /tmp

[u::rwx,g::rwx,o::rwx] /tmp   #default ACL from mode bits

2) Create file with 'touch'

 touch x # new file

Ishtar:/tmp llg x
-rw-rw-r-- 1 law lawgroup 0 Oct  7 02:26 x

 lsacl

[u::rw-,g::rw-,o::r--] x  #default ACL

3) now I'll copy in a *directory* that has both types of ACL's on it, but
not specifying that any permissions be copied:


 ll -d  /Media/Library/_artwork/test   #source

drwxrwsr-x+ 2 10 Oct  7 02:33 /Media/Library/_artwork/test/
Ishtar:/tmp lsacl  /Media/Library/_artwork/test  
[u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,m::rwx,o::r-x/u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,m::rwx,o::r-x] 
/Media/Library/_artwork/test


(note, 2nd acl is default dir (lsacl uses chacl -l)
Ishtar:/tmp 'cp' -r /Media/Library/_artwork/test .  #recursive to tmp
Ishtar:/tmp llg -d test
drwxrwxr-x 2 law lawgroup 6 Oct  7 02:34 test/
Ishtar:/tmp lsacl test  #no attr indicated
[u::rwx,g::rwx,o::r-x] test  #default ACL shown

So far all seems fine.

4) Now lets copy the perms too:

Ishtar:/tmp rd test
Ishtar:/tmp 'cp' -a /Media/Library/_artwork/test .
Ishtar:/tmp llg -d test
drwxrwsr-x+ 2 law Media 6 Oct  7 02:33 test/
Ishtar:/tmp lsacl test  #same ACL as source
[u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,m::rwx,o::r-x/u::rwx,u:Media:rwx,g::rwx,g:Media:rwx,m::rwx,o::r-x] 
test


5) create file in that dir:

Ishtar:/tmp cd test
Ishtar:/tmp/test touch touched_file
Ishtar:/tmp/test llg touched_file
-rw-rw-r--+ 1 law Media 0 Oct  7 02:42 touched_file
Ishtar:/tmp/test lsacl touched_file
[u::rw-,u:Media:rwx,g::rwx,g:Media:rwx,m::rw-,o::r--] touched_file
---
File has expected inherited ACL.

6) Now ... lets use cp to copy a file w/o acls in:
(first create normal file under /tmp):


 echo perm test/tmp/perm.txt

Ishtar:/tmp/test llg /tmp/perm.txt
-rw-rw-r-- 1 law lawgroup 10 Oct  7 02:59 /tmp/perm.txt
Ishtar:/tmp/test lsacl /tmp/perm.txt
[u::rw-,g::rw-,o::r--] /tmp/perm.txt

 'cp' /tmp/perm.txt .

Ishtar:/tmp/test llg perm.txt
-rw-rw-r--+ 1 law Media 10 Oct  7 03:01 perm.txt
Ishtar:/tmp/test lsacl perm.txt
[u::rw-,u:Media:rwx,g::rwx,g:Media:rwx,m::rw-,o::r--] perm.txt


8) Looks the same to me...However, check this out:

Ishtar:/tmp/test rm perm.txt
Ishtar:/tmp/test cp /tmp/perm.txt . 
Ishtar:/tmp/test llg /tmp/perm.txt

-rw-rw-r-- 1 law lawgroup 10 Oct  7 02:59 /tmp/perm.txt
Ishtar:/tmp/test lsacl perm.txt

No acl this time, but same copy...or was it?

Note I was careful to use 'cp' most of the time when copying except
this last time, cuz:

 alias cp

alias cp='cp --preserve=mode,timestamps'

my normal cp is an alias -- that says to preserve the mode. 
It wouldn't be able to do that if it allowed the default ACL

to be set on the file.

--
So, I don't know if this is related to your problem, but
cp appears to be working correctly here
filesystem = xfs (acls are always on as they came with the filesystem).
kernel=

Linux Ishtar 3.16.2-Isht-Van #1 SMP PREEMPT Tue Sep 9 18:26:43 PDT 2014 
x86_64 x86_64 x86_64 GNU/Linux



==

If this was any help -- great, if it was an annoyance,
just delete it and I can claim my dog ate my keyboard...
(funny things come out of dogs stomachs ;-))...

bug#8527: cp/mv in coreutils don't respect the default ACL of parent

2014-10-07 Thread f0rhum 
Thank you Linda for extensive answer.
Just an additional info before I reply your questions: for my own tests I 
didn't use /tmp as target because the sticky bit could do something special 
(not sure). Instead I used /srv/test that I chown me:writers , set chmod -R 
u:rwX,g:srwX then setfacl --set as needed all this as root. The goal being 
having a group writers rwX, another group readers with rX on the tree and 
o:---, and ignore source perms if any.


 What file system and core utils are you using?

My target file system is ext4 (default mount options include acl and user_xattr 
, coreutils is 8.21  kernel is 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 
21:30:07 UTC 2014 x86_64 GNU/Linux with embedded acl support out of the box).

 Are you using a file system that has alternate user-data forks
 or extended attributes that have them included by default?
 Or are you using a file system where they were added on as a super-user
 control'd option?  Have you tried copying them as root?

I know this:
from local, umask=0002
from ssh,   umask=0022
no cp aliases, I just need/use the default, i.e. do-not-preserve-perms
All my tests below are run locally. So I wrote a script that echoes each line:
sudo ~/acl.sh
0 mkdir -pv /srv/test
0 setfacl -bk /srv/test
0 rm -rf /srv/test/*
ownership of /srv/test was kept as me:writers
0 chown -Rv me:writers /srv/test
mode of /srv/test/ was changed from 2770 (rwxrws---) to  (-)
0 (removed all bits)
mode of /srv/test/ was changed from  (-) to 2770 (rwxrws---)
0 chmod -Rv u+rwX,g+srwX /srv/test
0 setfacl -R --set 
d:u::rwx,d:g::rwx,d:g:writers:rwx,d:u:reader:rx,d:g:reader:rx,d:o::---,d:m::rwx 
/srv/test
getfacl: remove first / out of absolute path names
# file: srv/test
USER   me   rwx  rwx
user   readerr-x
GROUP  writers  rwx  rwx
group  readerr-x
group  writers   rwx
mask rwx
other   ---  ---

0 setfacl -R --set 
u::rwX,g::rwX,u:reader:rX,g:writers:rwX,g:reader:rx,o::---,m::rwX /srv/test
getfacl: remove first / out of absolute path names
# file: srv/test
USER   me   rwx  rwx
user   reader   r-x  r-x
GROUP  writers  rwx  rwx
group  reader   r-x  r-x
group  writers  rwx  rwx
maskrwx  rwx
other   ---  ---

So at the moment this last command shows all is alright
   Now, let's copy 
me@pc:/srv$ cp -r /media/me/USPEED/200402/ /srv/test
me@pc:/srv$ getfacl -t /srv/test/200402/
getfacl: remove first / out of absolute path names
# file: srv/test/200402/
USER   me   rwx  rwx
user   reader   R-X  r-x
GROUP  writers  RWX  rwx
group  reader   R-X  r-x
group  writers  RWX  rwx
mask---  rwx
other   ---  ---

***problems begin: defaults ACL are kept OK (right perm column, ***
***but Access ACL are lost (capitalized in left column by -t are the denied 
perms because mask is lost, do not confuse with cap X in chmod)***
***only file owner can traverse, nobody else can)***

me@pc:/srv$ getfacl -t /srv/test/200402/P2220368.JPG 
getfacl: remove first / out of absolute path names
# file: srv/test/200402/P2220368.JPG
USER   me   rw- 
user   reader   r-X 
GROUP  writers  rWX 
group  reader   r-X 
group  writers  rWX 
maskr-- 
other   ---
*** Here one see writers lost the write perm, and reader could read if only he 
could traverse above***

Do the same by creation:
me@pc:/srv$ mkdir test/handdir
me@pc:/srv$ touch test/handdir/file
me@pc:/srv$ getfacl -Rt test/handdir/
# file: test/handdir/
USER   me   rwx  rwx
user   reader   r-x  r-x
GROUP  writers  rwx  rwx
group  reader   r-x  r-x
group  writers  rwx  rwx
maskrwx  rwx
other   ---  ---

# file: test/handdir//file
USER   me   rw- 
user   reader   r-X 
GROUP  writers  rwX 
group  reader   r-X 
group  writers  rwX 
maskrw- 
other   ---
***all is OK this way***








 The reason I ask, is that I just tried it and it appears to work:
 1) First the dir:
   cd /tmp
   llg -d /tmp
 drwxrwxrwt 25 root root 8192 Oct  7 02:21 /tmp/
   lsacl /tmp
 [u::rwx,g::rwx,o::rwx] /tmp   #default ACL from mode bits
 
 2) Create file with 'touch'
   touch x # new file
 Ishtar:/tmp llg x
 -rw-rw-r-- 1 law lawgroup 0 Oct  7 02:26 x
   lsacl
 [u::rw-,g::rw-,o::r--] x  #default ACL
 
 3) now I'll copy in a *directory* that has both types of ACL's on it, but
 not specifying that any permissions be copied:
 
   ll -d  /Media/Library/_artwork/test   #source
 drwxrwsr-x+ 2 10 Oct  7 02:33

bug#8527: cp/mv in coreutils don't respect the default ACL of parent

2014-10-07 Thread Linda Walsh 

Sorry, I didn't forward this to the right list...

The user data / extended attribute forks are where linux store the 
ACL's.  ext4 should
be configurable to do what you want to do, but I haven't personally used 
it -- but
I understand it has similar functionality as xfs.  The process umask is 
a masking
off of privs/permissions one sets on a normal file (ACL's aside).  It 
affects the
permission bits on the file   So if your umask was 077, then you open a 
file for
rwx rwx rwx, it would mask off group and other allowing the permissions 
to be
700 or rwx, --- ---.  (I might have the order backwards, but it's the 
standard
order you see in ls with numeric permissions)...Your umask will affect 
your file
mode creation, but it depends on what flags you use when you use 'cp' -- 
which is one
of the main points of my detail... after everything was shown to be 
working correctly
in my case, a setting I have in an alias to my cp would have 
over-ridden any
other settings and made it look like 'cp' ignored directory ACL or 
(sounds like you might

be talking group-owner ship -- of a dir -- or are you talking both).

Really, I'm not a member of the core utils devel group, so I really 
prefer you send your
answers and questions there, as they'll catch alot more things than I 
would -- I was
just showing an example of how your setting can override everything you 
think you are
setting -- so you'll need to provide more detail about what your umask 
is, (type umask at
prompt to see), and whether or not you have any aliases or ENV vars in 
effect that could
alter things.  If you can give an exact formula along the lines of what 
I did to
demonstrate your problem, that will help the developers the most.  The 
detail I gave
was only to show how things you don't think of may be affecting you and 
to be sure to check for them.  I'm cc'ing the list on my reply, but 
leaving your email off of it, so if you want to ask them if they need 
more information that's fine... otherwise, write down the exact

commands you typed and your environment, to repeat it.. (umask included).

If you want to use my lsacl script.. it's a trivial build on top of the 
chacl
program.  But please post to the list so everyone can be on the same 
page

lsacl script 
more lsacl
#!/bin/bash
acllen=0
for fn in $@; do
 out=$(chacl -l $fn)
 qfn=$(printf %q  $fn)
 perm=${out#$qfn}
 thislen=${#perm}
 if ((thislenacllen)); then acllen=$thislen; fi
 printf %-${acllen}s %s\n $perm $fn
done
=
Very trivial... but allowed  me to look at multiple files at a time...


IF you can give a recipe or script that duplicates the problem you saw, 
that would
be the best way to move this bug along (toward cockpit error or new 
special case found!).

Best of luck either way!

bug#8527: cp/mv in coreutils don't respect the default ACL of parent

2014-10-03 Thread f0rhum 
I can confirm. Tests show that the parent folder ACL Default mask is not 
inherited as the ACL Access mask of the file|dir created by cp|mv.