wjw@eba.eb.ele.tue.nl (Willem Jan Withagen) (01/09/91)
I've got this directory /usr/local/include which has some extra ACL's appended. Now it funnctions as I expect it would, so there's nno problem there. However the Unix righs do not really make sense. Why do they have rwx for the world whilest they do not have it? (:-)) Now you can do chmod 775 to the directory, but then the extended mask gets reset to r-x. As a consequence the user wjw.staff.none is not allowed to create anything in /usr/local/include. Despite the fact that user 'wjw' is also member of the group 'local'! wjw@eba > ls -lasg /usr/local total 27 1 drwxrwxrwx+ 1 root local 1024 Jan 9 13:54 . 4 drwxrwxr-x 1 root staff 4096 Dec 20 16:07 .. 1 drwxrwxrwx+ 1 root local 1024 Jan 9 13:19 include wjw@eba > Acl for /usr/local/include: Required entries root.%.% prwx- %.local.% -rwx- %.%.none [ignored] %.%.% -r-x- Extended entry rights mask: prwx- Extended entries wjw.staff.none prwx- Probably are there good reasons for this, but I don't understand them. Can anybody enlighten me? Thanx, Willem Jan Withagen. Eindhoven University of Technology DomainName: wjw@eb.ele.tue.nl Digital Systems Group, Room EH 10.10 BITNET: ELEBWJ@HEITUE5.BITNET P.O. 513 Tel: +31-40-473401 5600 MB Eindhoven The Netherlands
mmuegel@camdev.comm.mot.com (Mike "Happy" Muegel) (01/10/91)
In article <1030@eba.eb.ele.tue.nl> wjw@eba.eb.ele.tue.nl (Willem Jan Withagen) writes: >I've got this directory /usr/local/include which has some extra ACL's >appended. Now it funnctions as I expect it would, so there's nno problem >there. >However the Unix righs do not really make sense. Why do they have rwx for >the world whilest they do not have it? (:-)) The "world" field that is displayed using /bin/ls shows the logical OR of the rights given to world and the exetnded entry mask. >Now you can do chmod 775 to the directory, but then the extended mask gets >reset to r-x. >As a consequence the user wjw.staff.none is not allowed to create anything >in /usr/local/include. >Despite the fact that user 'wjw' is also member of the group 'local'! Once you apply chmod, the extended ACLs, while not blown away, are not usable. Now about the group stuff, are you using BSD or SYS5? More information is needed to debug this problem (e.g. what does the user's /etc/environ and ~/.environ look like). I am sure you just need to set the SYSTYPE and ENVIRONMENT variables in either of the above mentioned files and all will work fine if your are using BSD and have the registry set to use project lists for the group "local." -Mike -- +-----------------------------------------------------------------------------+ | Mike Muegel | Internet: mmuegel@mot.com | | Software Tools Engineer | UUCP: uunet!motcid!muegel | | Fort Worth Research & Development Center | Voice: (817) 232-6129 | | Cellular Infrastructure Group | Fax: (817) 232-6081 | | Radio Telephone and Systems Group | Mail: 5555 North Beach St. | | Motorola, Inc. | Fort Worth, TX 76137 | +-----------------------------------------------------------------------------+
dbfunk@ICAEN.UIOWA.EDU (David B Funk) (01/10/91)
In posting <1030@eba.eb.ele.tue.nl>, Willem Jan Withagen asks: > I've got this directory /usr/local/include which has some extra ACL's > appended. Now it funnctions as I expect it would, so there's nno problem > there. > However the Unix righs do not really make sense. Why do they have rwx for > the world whilest they do not have it? (:-)) > Now you can do chmod 775 to the directory, but then the extended mask gets > reset to r-x. [stuff deleted showing an example ACL] > Probably are there good reasons for this, but I don't understand them. > Can anybody enlighten me? Yes, check out appendix A in the file "os.v.10.?__transition_guide". You should be able to find it in the directory "/install/doc/apollo" where the OS release notes are put by install. In particular, look at the part that talks about the effect of a "chmod" on the extended ACL mask and the part that explains the ACL search order (around pages A-5 to A-7). There is a version of this file included with each release of the OS, such as os.v.10.1__transition_guide, os.v.10.2__transition_guide, etc. The versions that came with sr10.2 and later are better than sr10.1 and older. The bottom line is when you use the extra power of the ACL, you are using more protection information than can be presented by the "stat" Unix call. Therefore the "stat" call must either UNDER present the real state of the world, or OVER present it. Pre-sr10, Apollo chose the under-present philosophy (IE the old what-they-don't-know-won't-hurt-them idea) but Apollo got lots of abuse for not "telling-it-like-it-is". So at sr10, they changed to the over-present philosophy and now you see the "funny" extra stuff in an "ls -l". There is a chapter (6) in the book "Domain/OS Design Principles" that describes how this works and some of the decisions behind the implementation. Dave Funk
wjw@eba.eb.ele.tue.nl (Willem Jan Withagen) (01/11/91)
In article <324@camdev.comm.mot.com?> mmuegel@camdev.comm.mot.com (Mike "Happy" Muegel) writes: >In article <1030@eba.eb.ele.tue.nl> wjw@eba.eb.ele.tue.nl (Willem Jan Withagen) writes: >>I've got this directory /usr/local/include which has some extra ACL's >>appended. Now it funnctions as I expect it would, so there's nno problem >>there. >>However the Unix righs do not really make sense. Why do they have rwx for >>the world whilest they do not have it? (:-)) As most other have told me, is this a case of RTFM. :{ In the guide about making the transition to SR10 is some attention devoted to this subject. There is also extra material in the release notes in //AA/install/doc/apollo..... But what it simply boils down to is that the access rights are ordered with the most specific rights first. (Extended ACLs are very specific) And the user gets the rights with go with the first match. If that is an extended ACL then the extended mask is aplied. The resulting rights are then used as YOUR rights. So in my case wjw.staff.none is more specific, so %.local.% is ignored. and I get the rights going with wjw.staff.none ored with the extended mask. Sorry, Willem Jan Withagen. Eindhoven University of Technology DomainName: wjw@eb.ele.tue.nl Digital Systems Group, Room EH 10.10 BITNET: ELEBWJ@HEITUE5.BITNET P.O. 513 Tel: +31-40-473401 5600 MB Eindhoven The Netherlands