| 1 |
Hi, |
| 2 |
|
| 3 |
On 04/01/2022 18.35, Michael Orlitzky wrote: |
| 4 |
> On Tue, 2022-01-04 at 12:03 -0500, Mike Gilbert wrote: |
| 5 |
>> |
| 6 |
>> I disagree with the claim that "most people" should disable ACL |
| 7 |
>> support at build time. That just gives you partially functional tools. |
| 8 |
>> The ACL behavior can generally be controlled using runtime options. |
| 9 |
> |
| 10 |
> I understand why people would disagree in this case, but isn't that a |
| 11 |
> an argument for having the flag? |
| 12 |
> |
| 13 |
> There are plenty of great uses for ACLs, but unless you're extremely |
| 14 |
> knowledgeable, they also add a million new ways to compromise your |
| 15 |
> system. For example, if you untar a file with a default-ACL'd directory |
| 16 |
> in it and don't notice the little plus sign, you might wind up |
| 17 |
> unknowingly creating world-writable files. Even if you do notice the |
| 18 |
> ACL, you have to be an expert in the interaction between umask, |
| 19 |
> permission bits, the ACL mask, effective permissions, conflicting ACLs, |
| 20 |
> and all of the tools you're using to understand what will actually |
| 21 |
> happen or how to properly fix it. It's not something normal people can |
| 22 |
> handle. |
| 23 |
And none of which happens unless you intentionally trigger it. |
| 24 |
|
| 25 |
1. To have ACL break things on new (extracted) files you'd first need to |
| 26 |
have default ACL set on parent directory where you extract to -- |
| 27 |
otherwise they won't be carried and no problem |
| 28 |
|
| 29 |
2. unless you add --acl to both create and extract, no acl will be added |
| 30 |
to tarball and/or extracted onto system |
| 31 |
|
| 32 |
Running 'tar --acl ...' or 'setfacl -d ...' does not happen by accident |
| 33 |
and argument that you should disable acl to not run into issues with |
| 34 |
above does not make much sense. |
| 35 |
|
| 36 |
Sure, acl and how chmod manipulate mask on ACL-enabled entities is not |
| 37 |
very simple, but nothing will break by itself just because you have acl |
| 38 |
support enabled, you would need to try very hard to run into problems. |
| 39 |
|
| 40 |
-- Piotr. |
Archives