On Sun, 2008-11-02 at 20:48 +0000, Andrew Gideon wrote:
> As you'll see below, -A yields the same results:
>
>
> [root@house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> group::r-x
> mask::r-x
> other::r-x
>
> getfacl: f2: No such file or directory
> [root@house0 t]# rsync -aA -v --itemize-changes f1 f2
> sending incremental file list
> >f+++++++++ f1
>
> sent 77 bytes received 31 bytes 216.00 bytes/sec
> total size is 0 speedup is 0.00
> [root@house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> group::r-x
> mask::r-x
> other::r-x
>
> # file: f2
> # owner: adm
> # group: sys
> user::r-x
> group::r-x
> other::r-x
>
> [root@house0 t]#
>
> As far as I can tell, this is somehow the result of the
> particular ACL state of f1. If I tweak it slightly, all
> works as one would expect. For example:
>
> [root@house0 t]# setfacl -m u:andrew:r-x f1
> [root@house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> user:andrew:r-x
> group::r-x
> mask::r-x
> other::r-x
>
> getfacl: f2: No such file or directory
> [root@house0 t]# rsync -aA -v --itemize-changes f1 f2
> sending incremental file list
> >f+++++++++ f1

>
> sent 88 bytes received 31 bytes 238.00 bytes/sec
> total size is 0 speedup is 0.00
> [root@house0 t]# getfacl f1 f2
> # file: f1
> # owner: adm
> # group: sys
> user::r-x
> user:andrew:r-x
> group::r-x
> mask::r-x
> other::r-x
>
> # file: f2
> # owner: adm
> # group: sys
> user::r-x
> user:andrew:r-x
> group::r-x
> mask::r-x
> other::r-x


Ah. Rsync seems to be dropping a mask entry when there are no named
user or group entries. That's not an unreasonable thing to do on a
system that does not require a mask, and I think the idea was to avoid
receiving superfluous masks from a system that does require them. I
guess one could still make the argument that the ACLs should be copied
exactly.

I found a bigger problem: rsync seems to use the mask permissions as the
group permissions, potentially granting undesired access. To see this,
run the following:

setfacl -k .
umask 0077
touch srcfile
setfacl -m m::r-- srcfile
rsync -A srcfile destfile
getfacl srcfile destfile

I get these results (on Linux):

# file: srcfile
# owner: matt
# group: matt
user::rw-
group::---
mask::r--
other::---

# file: destfile
# owner: matt
# group: matt
user::rw-
group::r--
other::---

Fixing this in a way that works with all combinations of mask-requiring
and non-mask-requiring systems will take some care. We discussed
similar issues a while ago:

http://lists.samba.org/archive/rsync...er/016400.html

I'll have to reread that thread.

Matt

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html