Package: acl Version: 2.2.52-3+b1 Followup-For: Bug #694756 Hello,
I can confirm that this bug still exists as of version 2.2.52-3 of the package, which is the version of Debian Stretch 9.1 The tests were conduced on a fresh 9.1 net-install Our use case is having groups of users using a file share, with each group having its own 'home' directory, with all its members having full access to it. Most of the groups are able to read, but not write, in other homes, however there are some exceptions. In this case, the implementation is done by setting all directoriess to 2770 and using ACLs to grant other groups access as needed. The problem arises when a group is creating a directory in another group's home - because of the bug, the setgid bit will not be set, causing files and directories created within to have an incorrect gid A simplified version of the use case can be used to reproduce the bug * Consider two users, "user" and "assistant", belonging to their own groups each (Default options are fine) adduser user adduser assistant * Create a directory named "share" cd /var mkdir share cd share * Create several directories, change their owners to assistant and permissions to 2770 mkdir noacl mkdir acl mkdir acl_d chown assistant:assistant noacl acl acl_d chmod 2770 noacl acl acl_d * Grant full access to group "user" using ACL on acl and acl_d setfacl -m g:user:rwx acl setfacl -m g:user:rwx acl_d * Grant default access to group "user" on acl_d setfacl -m d:g:user:rwx acl_d * As user, create a directory in all three directories su user - cd /var/share mkdir noacl/user mkdir acl/user mkdir acl_d/user exit * As assistant, create a directory in all three directories su assistant - cd /var/share mkdir noacl/assistant mkdir acl/assistant mkdir acl_d/assistant exit * Verify permissions on created directories ls -l noacl ls -l acl ls -l acl_d * Result : root@stretch:/var/share# ls -l noacl total 4 drwxr-sr-x 2 assistant assistant 4096 juil. 27 14:55 assistant root@stretch:/var/share# ls -l acl total 8 drwxr-sr-x 2 assistant assistant 4096 juil. 27 14:55 assistant drwxr-sr-x 2 user assistant 4096 juil. 27 14:55 user root@stretch:/var/share# ls -l acl_d total 8 drwxrws---+ 2 assistant assistant 4096 juil. 27 14:55 assistant drwxrwx---+ 2 user assistant 4096 juil. 27 14:55 user * In noacl, only assistant is present and has the setgid bit set - this is the expected outcome * In acl, both user and assistant are present and have the setgid bit set - this is the expected outcome * In acl_d, both user and assistant are present, however, only assistant has the setgid bit set - the expected outcome is that both user and assistant should have it * Removing default acl from acl_d and re-creating a directory does have the expected outcome setfacl -k acl_d su user - cd /var/share mkdir acl_d/user_no_d exit ls -l acl_d * Result : root@stretch:/var/share# ls -l acl_d total 12 drwxrws---+ 2 assistant assistant 4096 juil. 27 14:55 assistant drwxrwx---+ 2 user assistant 4096 juil. 27 14:55 user drwxr-sr-x 2 user assistant 4096 juil. 27 15:03 user_no_d JC -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages acl depends on: ii libacl1 2.2.52-3+b1 ii libattr1 1:2.4.47-2+b2 ii libc6 2.24-11+deb9u1 acl recommends no packages. acl suggests no packages. -- no debconf information
