[fuse-devel] ACL mask problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi

I have a problem with unionfs fuse and default ACLs
http://podgorny.cz/moin/UnionFsFuse

/mnt/media is mounted with unionfs

$ umask
0022

$ getfacl /mnt/media
getfacl: Removing leading '/' from absolute path names
# file: mnt/media
# owner: mattias
# group: mattias
user::rwx
group::rwx
group:admin:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:admin:rwx
default:mask::rwx
default:other::r-x

$ mkdir /mnt/media/test
$ getfacl /mnt/media/test
getfacl: Removing leading '/' from absolute path names
# file: mnt/media/test
# owner: mattias
# group: mattias
user::rwx
group::r-x
group:admin:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:admin:rwx
default:mask::rwx
default:other::r-x

If do the same operation directly on one of the paths in the union:

$ mkdir /mnt/media/test
$ getfacl /mnt/h500-1/media/test
getfacl: Removing leading '/' from absolute path names
# file: mnt/h500-1/media/test
# owner: mattias
# group: mattias
user::rwx
group::r-x
group:admin:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:admin:rwx
default:mask::rwx
default:other::r-x

As you see the mask end up different, resulting in that the group admin will
not have write access.

In the non-unionfs case the mkdir call is:
mkdir("/mnt/h500-1/media/test", 0777)
in the unionfs case the mkdir call done by unionfs is
mkdir("/mnt/h500-1/media/test", 0755)
That is of cause because fuse gets the already umask stripped mode
from the kernel.

Quoting http://www.novell.com/documentation/suse91/suselinux-adminguide/html/apbs03.html
"If a default ACL exists for the parent directory, the permission bits
assigned to the new object correspond to the overlapping portion of the
permissions of the mode parameter and those that are defined in the
default ACL. The umask is disregarded in this case."

So how can one solve this? currently the only solution i can come up
with is to pass the original unstripped mode and the process umask to
the userland filesystem. This would allow it to implement something
similar, check if there exist a default ACL for the target and then
use the original mask instead.

Please include my address when replying, im not subscribed to the list.

-Mattias