Allow +X in ACL's #33921
Comments
|
@timwsuqld I am able to replicate this error with a smaller test case as follows: Looks like we need to add the ability to use this |
Ch3LL
added
Bug
|
@Ch3LL Unfortunately Unfortunately I think it'll need some more logic added to the code to handle it |
|
Hello, has there been any advance on this? Thanks! |
|
No one is currently working on this due to other higher priority issues. Please feel free to take a stab at a PR if you would like. |
|
I would very much like a fix for this as well, but I'm far from knowledgeable enough to do it myself. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
|
Still an issue. |
|
Thank you for updating this issue. It is no longer marked as stale. |
|
I ran into this one again today. Just keeping it on the radar. |
sagetherage
added
develop
|
The Core team won't be able to get to this in Aluminium, moving it back into planning for another release. |
sagetherage
removed
Needs-Testcase
|
Just a reminder that this is still a massive shortcoming in the linux_acl state. |
|
I ran into this problem today and was in the midst of creating an issue when I saw that this was already an outstanding issue for this. --- /usr/lib/python3.11/site-packages/salt/states/linux_acl.py.orig 2022-10-09 22:45:53.798161441 +0200
+++ /usr/lib/python3.11/site-packages/salt/states/linux_acl.py 2022-10-10 20:15:16.757902616 +0200
@@ -102,8 +102,8 @@ def present(name, acl_type, acl_name="",
"""
ret = {"name": name, "result": True, "changes": {}, "comment": ""}
- _octal = {"r": 4, "w": 2, "x": 1, "-": 0}
- _octal_lookup = {0: "-", 1: "r", 2: "w", 4: "x"}
+ _octal = {"r": 4, "w": 2, "x": 1, "X": 1, "-": 0}
+ _octal_lookup = {4: "r", 2: "w", 1: "x", 0: "-"}
if not os.path.exists(name):
ret["comment"] = "{} does not exist".format(name)
@@ -145,7 +145,12 @@ def present(name, acl_type, acl_name="",
user = None
if user:
- octal_sum = sum(_octal.get(i, i) for i in perms)
+ if perms.endswith('X'):
+ conditional_x = True
+ else:
+ conditional_x = False
+
+ octal_new = sum(_octal.get(i, i) for i in perms)
need_refresh = False
# If recursive check all paths retrieved via acl.getfacl
if recurse:
@@ -159,11 +164,18 @@ def present(name, acl_type, acl_name="",
else:
_current_perms_path = __current_perms[path]
for user_acl in _current_perms_path.get(_acl_type, []):
- if (
- _search_name in user_acl
- and user_acl[_search_name]["octal"] == octal_sum
- ):
- acl_found = True
+ if _search_name in user_acl:
+ octal_current = user_acl[_search_name]["octal"]
+ executable = bool(octal_current % 2 == 1)
+ if (
+ octal_current == octal_new
+ or
+ (conditional_x and not executable and octal_current == (octal_new - 1))
+ ):
+ acl_found = True
if not acl_found:
need_refresh = True
break
@@ -179,26 +191,27 @@ def present(name, acl_type, acl_name="",
ret["comment"] = "Permissions are in the desired state"
else:
_num = user[_search_name]["octal"]
- new_perms = "{}{}{}".format(
- _octal_lookup[_num & 1],
- _octal_lookup[_num & 2],
+ old_perms = "{}{}{}".format(
_octal_lookup[_num & 4],
+ _octal_lookup[_num & 2],
+ _octal_lookup[_num & 1],
)
changes = {
"new": {"acl_name": acl_name, "acl_type": acl_type, "perms": perms},
- "old": {
- "acl_name": acl_name,
- "acl_type": acl_type,
- "perms": new_perms,
+ "old": {"acl_name": acl_name, "acl_type": acl_type, "perms": old_perms,
},
}
if __opts__["test"]:
ret.update(
{
"comment": (
"Updated permissions will be applied for "
- "{}: {} -> {}".format(acl_name, new_perms, perms)
+ "{}: {} -> {}".format(acl_name, old_perms, perms)I run it through various tests (targeted files/directories, recurse=True/False....etc) and it seems to work fine. |
|
I'm not familiar with linux acls. Make the PR and anyone can review it. |
|
Whaaat!? diff -up linux_acl.py.orig linux_acl.py
--- linux_acl.py.orig 2022-10-10 18:14:13.309437026 +0200
+++ linux_acl.py 2022-10-10 19:48:53.704767782 +0200
@@ -401,7 +401,7 @@ def list_present(name, acl_type, acl_nam
acl_names = []
ret = {"name": name, "result": True, "changes": {}, "comment": ""}
- _octal = {"r": 4, "w": 2, "x": 1, "-": 0}
+ _octal = {"r": 4, "w": 2, "x": 1, "X": 1, "-": 0}
_octal_perms = sum(_octal.get(i, i) for i in perms)
if not os.path.exists(name):
ret["comment"] = "{} does not exist".format(name)You can just run this acl_test:
acl.list_present:
- name: /tmp/testdir
- acl_type: group
- acl_names:
- wheel
- perms: rwX
- recurse: TrueAnd it'll work. Which begs the questions why are The only thing that doesn't seem to work with acl_test:
acl.list_present:
- name: /tmp/testdir
- acl_type: group
- acl_names:
- wheel
- perms: rwx
- recurse: True**trying the change the permissions from |
|
Any forward movement on this? Looks like it should have been merged by now, but we're still seeing the original behavior described here. |
Related to #31270
Wanting to create an ACL that applies the execute permission to directories, but not files. Using chmod and setfacl you can use X instead of x, which means it'll apply the execute permission to directories, or files if they already have that permission. From the chmod man page,
execute/search only if the file is a directory or already has execute permission for some user (X)An example SLS file would look like. Note the Capital X, not lower case x
This unfortunately bombs with the following error (Same as #31270)
Looking at the code, I'm not sure the easiest way to handle this. We take the easy way of comparing current permissions to intended permissions by getting the octal value of the current permissions, and calulating the new octal value. To support X we'd need to handle the execute bit on a case by case basis, as we shouldn't be removing the execute bit if it's present, but we should only be adding it to directories if it's absent.
Versions Report
The text was updated successfully, but these errors were encountered: