ACLs and `ls -l'

Andreas Gruenbacher a.gruenbacher at bestbits.at
Sat Feb 19 23:20:16 GMT 2000 

Robert Watson wrote:
> 
> On Sat, 19 Feb 2000, Andreas Gruenbacher wrote:
> 
> > pathconf(path, _POSIX_TRUE_MODE)
> > --------------------------------
> > Returns 0 if the file mode permission bits accurately reflect the permissions of
> > path. Returns 1 if the file mode permission bits are a superset of the actual
> > permissions of a file.
> 
> Andreas,
> 
> I generally agree with the principal, but think you mean ``subset'' :-).

No, superset is correct. Posix1e defines that additional access control
mechanisms may further restrict access to a file, and that the file mode
permission bits should show the maximum of possible permissions.

This is also consistent with the ACL proposal in DS17. If there are ACL_USER or
ACL_GROUP entries, the ACL_MASK object (which then replaces the group file mode
permissions) specifies the maximum possible permissions any group or named user
gets.

I see one problem with using the `+' character: If it's used for anything other
than Posix ACLs, it doesn't tell you which tool to use to see the additional
permissions.

So perhaps AFS, NTFS, etc. should each use a different character?
Alternatively, we could make getfacl/setfacl handle all those filesystems.

> I'm not sure if pathconf is the best way to do this, but I can't really
> think of anything better at this point.  The only thing that came to mind,
> that I suggested in private email to you, was adding an additional stat
> bit that indicates whether or not the mode returned by the stat bit
> accurately reflects the permissions of the file.

This was rejected in Posix1e (see Section B.5.6.2).

> S_PRMOD -- ``File mode is a poor representation of real file DAC labels''

The problem that still remains is that utilities that rely on the file mode
permission bits may open security holes. For example, if open(file,
O_CREAT|O_EXCL, 0600) grants permissions to anybody other than the owner, Unix
utilities will become broken.

It's a pain ls doesn't show whether a file is associated with CAP or MAC.
Maybe we should add an option to GNU ls?


Andreas

------------------------------------------------------------------------
 Andreas Gruenbacher, a.gruenbacher at computer.org
 Contact information: http://www.bestbits.at/~agruenba
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list