1 |
Hi, |
2 |
|
3 |
On 04/01/2022 18.35, Michael Orlitzky wrote: |
4 |
> On Tue, 2022-01-04 at 12:03 -0500, Mike Gilbert wrote: |
5 |
>> |
6 |
>> I disagree with the claim that "most people" should disable ACL |
7 |
>> support at build time. That just gives you partially functional tools. |
8 |
>> The ACL behavior can generally be controlled using runtime options. |
9 |
> |
10 |
> I understand why people would disagree in this case, but isn't that a |
11 |
> an argument for having the flag? |
12 |
> |
13 |
> There are plenty of great uses for ACLs, but unless you're extremely |
14 |
> knowledgeable, they also add a million new ways to compromise your |
15 |
> system. For example, if you untar a file with a default-ACL'd directory |
16 |
> in it and don't notice the little plus sign, you might wind up |
17 |
> unknowingly creating world-writable files. Even if you do notice the |
18 |
> ACL, you have to be an expert in the interaction between umask, |
19 |
> permission bits, the ACL mask, effective permissions, conflicting ACLs, |
20 |
> and all of the tools you're using to understand what will actually |
21 |
> happen or how to properly fix it. It's not something normal people can |
22 |
> handle. |
23 |
And none of which happens unless you intentionally trigger it. |
24 |
|
25 |
1. To have ACL break things on new (extracted) files you'd first need to |
26 |
have default ACL set on parent directory where you extract to -- |
27 |
otherwise they won't be carried and no problem |
28 |
|
29 |
2. unless you add --acl to both create and extract, no acl will be added |
30 |
to tarball and/or extracted onto system |
31 |
|
32 |
Running 'tar --acl ...' or 'setfacl -d ...' does not happen by accident |
33 |
and argument that you should disable acl to not run into issues with |
34 |
above does not make much sense. |
35 |
|
36 |
Sure, acl and how chmod manipulate mask on ACL-enabled entities is not |
37 |
very simple, but nothing will break by itself just because you have acl |
38 |
support enabled, you would need to try very hard to run into problems. |
39 |
|
40 |
-- Piotr. |