← Back to team overview

kernel-packages team mailing list archive

[Bug 1081502] Re: posix acl permissions evaluated wrongly with null mask


András Korn, this bug was reported a while ago and there hasn't been any
activity in it recently. We were wondering if this is still an issue? If
so, could you please test for this with the latest development release
of Ubuntu? ISO images are available from http://cdimage.ubuntu.com
/daily-live/current/ .

If it remains an issue, could you please run the following command in
the development release from a Terminal
(Applications->Accessories->Terminal), as it will automatically gather
and attach updated debug information to this report:

apport-collect -p linux <replace-with-bug-number>

If reproducible, could you also please test the latest upstream kernel available (not the daily folder) following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested. If this bug is fixed in the mainline kernel, please add the following tags:

where VERSION-NUMBER is the version number of the kernel you tested. For example:

This can be done by clicking on the yellow circle with a black pencil icon next to the word Tags located at the bottom of the bug description. As well, please remove the tag:

If the mainline kernel does not fix this bug, please add the following tags:

As well, please remove the tag:

Once testing of the upstream kernel is complete, please mark this bug's
Status as Confirmed. Please let us know your results. Thank you for your

** Changed in: linux (Ubuntu)
       Status: Confirmed => Incomplete

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  posix acl permissions evaluated wrongly with null mask

Status in “linux” package in Ubuntu:
Status in “linux” package in Debian:

Bug description:

  According to my experience the Linux Kernel Access Control evaluate
  wrongly the POSIX ACL-s when a mask is null (mask::---)

  Let's see an example:
  root@bar:~# getfacl /tmp/test 
  getfacl: Removing leading '/' from absolute path names
  # file: tmp/test
  # owner: root
  # group: root
  group::r--                      #effective:---

  As we can see the foo user hasn't got any rights on the test file and a mask is zero.
  Let's try to read the file as the foo user:
  foo@bar:~$ cat /tmp/test


  According to the documentation (man acl) user foo cannot access the file:
  "     2.   else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
                if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
                else access is denied."

  If I change the the mask entry to something else:
  root@bar:~# getfacl /tmp/test 
  getfacl: Removing leading '/' from absolute path names
  # file: tmp/test
  # owner: root
  # group: root
  group::r--                      #effective:---

  the foo user cannot read the file:
  foo@bar:~$ cat /tmp/test 
  cat: /tmp/test: Permission denied

  I tested with ext4 and tmpfs with the same result. I also tested on a
  Solaris 9 machine where the permissions work as expected.

  System info:
  Description:    Ubuntu 12.04.1 LTS
  Release:        12.04

    Installed: 2.2.51-5ubuntu1
    Candidate: 2.2.51-5ubuntu1
    Version table:
   *** 2.2.51-5ubuntu1 0
          500 http://hu.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
          100 /var/lib/dpkg/status

  Linux bar 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC
  2012 i686 i686 i386 GNU/Linux

  Thank you for your time and I hope you can find the source of this issue.
  ApportVersion: 2.0.1-0ubuntu13
  Architecture: i386
  DistroRelease: Ubuntu 12.04
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
  Package: linux
  PackageArchitecture: i386
  ProcVersionSignature: Ubuntu 3.2.0-29.46-generic-pae 3.2.24
  Tags:  precise
  Uname: Linux 3.2.0-29-generic-pae i686
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

To manage notifications about this bug go to: