oddities in interference of linux extened ACLs and 'regular' permissions

Posted by abbot on Server Fault See other posts from Server Fault or by abbot
Published on 2010-06-07T19:40:08Z Indexed on 2010/06/07 19:53 UTC
Read the original article Hit count: 267

Filed under:

linux

|

permissions

|

acl

I've got some legacy code which checks that some file is read-only and readable only by it's owner, i.e. permissions set to 0400. I also need to give read-only access to this file to some other user on the system. I'm trying to set extended ACLs, but this changes 'regular' permission bits in a strange way also:

$ ls -l hostkey.pem 
-r-------- 1 root root 0 Jun  7 23:34 hostkey.pem
$ setfacl -m user:apache:r hostkey.pem 
$ getfacl hostkey.pem 
# file: hostkey.pem
# owner: root
# group: root
user::r--
user:apache:r--
group::---
mask::r--
other::---

$ ls -l hostkey.pem 
-r--r-----+ 1 root root 0 Jun  7 23:34 hostkey.pem

And after this the legacy code starts complaining that the file is group-readable (while it is actually not!)

Is it possible to set the extended ACLs in such a way that some other user will also have read-only access, while the file will appear to have only 0400 'regular' permissions?

© Server Fault or respective owner

Related posts about linux

apt-get install and update fail

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've got a problem with apt-get update and apt-get install ... commands . every time update or installing fails and errors are : Get:1 http://dl.google.com stable Release.gpg [198B] Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en_US Get:2 http://dl… >>> More
kernel module compiling error

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
sh@ubuntu:/home/ccpp/helloworld$ make gcc-4.6 -O2 -DMODULE -D_KERNEL_ -W -Wall -Wstrict-prototypes -Wmissing-prototypes -isystem /lib/modules/`uname -r`/build/include -c -o hello-1.o hello-1.c hello-1.c:4:0: warning: "MODULE" redefined [enabled by default] <command-line>:0:0: note: this is… >>> More
Build-Essentials installation failing

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am having trouble accessing the several critical header files that show to be a part of the build process. The "Ubuntu Software Center" shows "Build Essentials" as installed: Next I did the following two commands, which did not improve the problem: ~$ sudo apt-get install build-essential [sudo]… >>> More
Updating Debian kernel

as seen on Super User - Search for 'Super User'
I'm trying to update my Debian machine to 2.6.32-46 (which is the new stable). However, after doing apt-get update my apt-cache search linux-image shows me: linux-headers-2.6.32-5-486 - Header files for Linux 2.6.32-5-486 linux-headers-2.6.32-5-686-bigmem - Header files for Linux 2.6.32-5-686-bigmem linux-headers-2… >>> More
Serial connection over a single USB cable (Windows to linux, or linux to linux)

as seen on Server Fault - Search for 'Server Fault'
I'm helping out with a project for an embedded device that only has USB and no serial. This device is running Linux. These days, when we need to connect to a serial port on a device we typically use a USB to serial adapter (on something like a phone system or a load balancing device, etc). I would… >>> More

Related posts about permissions

Mailman Error / Cpanel

as seen on Server Fault - Search for 'Server Fault'
Mailman is giving off this error when any changes are made to the list: ======================= Bug in Mailman version 2.1.14 We're sorry, we hit a bug! Please inform the webmaster for this site of this problem. Printing of traceback and other system information has been explicitly… >>> More
NTFS Permissions - Correct combinations of special access permissions

as seen on Server Fault - Search for 'Server Fault'
What would be the correct combination of NTFS special access permissions to allow an AD group (Authenticated Users) to copy files to a share, but after copying no one in the AD group should be allowed to edit, overwrite, rename, or delete the file? The AD group should also be able to copy files from… >>> More
FTP, permissions: I cannot see permissions but I can change them

as seen on Super User - Search for 'Super User'
hi, I'm browsing a server with my ftp client. When I try to get the information about a folder, I cannot see the permissions (all rwx checkboxes are uncecked). If i try to check one of it, the opeartion is succesfull (I don't get any error), but then when I come back it is again unchecked. What… >>> More
Snow Leopard doesn't repair permissions, despite showing / saying its fixed them?

as seen on Super User - Search for 'Super User'
Sometime ago, I used carbon copy as I was replacing my hard drive in my Mac Mini running Snow Leopard. Afterwards, on my new drive I had some permission problems. I've tried several times running a repair permissions / repair disk from disk util. It shows that there are problems and I think it says… >>> More
IIS Permissions or NTFS Permissions?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I currently have a Windows Server 2003 setup to serve multiple sites via IIS. One of our directories needs to allow access to only 1 specific AD Security Group. I know there are two ways to accomplish this. One is using IIS to add permissions and the other is to set permissions on the folder/directory… >>> More