Sunday, September 4, 2011

How ACL & MASK work in linux?

■ Requirement : Details on ACL & MASK
■ OS Environment : Linux, RHEL, Centos
■ Resolution : 

       When we set default ACL permission along with masking then there should not be any effect of masking bit. But apart from above all, mode of file and directory gets preference at kernel level. While we create any file, kernel passes mode 0666 to its *open* system call and it passes mode 0777 to *mkdir* system call during creating directory. Then based on the value of umask it sets permission of the file and directory. We know effective permission is mapped to masking permission while we pass extended attributes to setfacl. So, directory can inherit permission from parent but file can't do that. Even file won't get any execution permission. Whereas sub-directory will get full permission. If kernel passes mode 777 or 766 or 776 for file then there should have chance where file will get full execution permission(u+g+o), user execution(only u) and user plus group execution(u+g) permission respectively. I am going to describe these along with some examples here :

1. Case :1

Suppose we have a paranoid user who doesn't want anybody else to read his files, ever. He has set his umask to 077. Here's what we see in that case:

$ umask 077; strace -eopen touch testfile 2>&1 | tail -1; ls -l testfile

open("testfile", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3
-rw-------. 1 root root 0 Sep 4 15:25 testfile

Here *touch* doesn't care of what the umask is. It just calls open with the desired permissions of 0666, and the kernel applies the umask. Our umask in this case is 0077, or ---rwxrwx, so those are the permissions we cross out. All that's left are the rw- for the owner; the group and other permissions are all taken away, and we have rw------- (0600).

2. Case :2

The same concepts apply to directories. The only real difference is that directories are created with execute permissions by default (0777 instead of 0666). Let's take a look at this:

$ umask 022; strace -emkdir mkdir testdir; ls -ld testdir
mkdir("testdir", 0777) = 0
drwxr-xr-x. 2 root root 4096 Sep 4 15:26 testdir

            There are a few new things in this example, so let's take them one at a time. The first is that we used the mkdir command, which then used the mkdir system call to the kernel. So we told strace to show us just that system call. Next, we see that mkdir (the command) told the kernel to mkdir (the system call) this directory with mode 0777 (which would be rwxrwxrwx). But the kernel took away the umask's bits, so we ended up with rwxr-xr-x (0755).

3. Case :3 (Applying default ACL)

Let's apply default ACL to check how file and directory get their permission.

$  strace -s 128 -fvTttto luv setfacl -m d:u:tgfurnish:rwx,u:tgfurnish:rwx hello
$ getfacl --all-effective hello
# file: hello
# owner: root
# group: root
user:tgfurnish:rwx #effective:rwx
group::r-x #effective:r-x
default:user:tgfurnish:rwx #effective:rwx
default:group::r-x #effective:r-x

Let's create a file inside hello directory :

$ strace -s 128 -fvTttto luvly touch hello/hii
$ getfacl --all-effective hello/hii
# file: hello/hii
# owner: root
# group: root
user:tgfurnish:rwx #effective:rw-
group::r-x #effective:r--

$ less luvly |grep open |tail -1
8721 1315131118.682518 open("hello/hii", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3 <0 .000184="">

$ umask

      Here  also see kernel passes "0666" mode to touch program. We were expecting that "mask" or "effective" permission will be "rwx" but it didn't happen where directory got similar permission. Note that mask won't be effective if we set default value. I have stated it earlier. That's why I didn't set masking permission though I passed extended attributes to setfacl. So, let's make a summary :

1. File won't get execution permission(masking or effective) whatever we use (ie acl or umask or mask at ACL)
2. Directory can get execution permission(This depends upon how we are setting masking field)
3. If we want to set execution permission to file which is under ACL permission then we have to manually set this permission using "chmod" command. We can implement this in shell script and run it as a cron job.

No comments:

Post a Comment