Bug 173178 - The getfacl program fails to display all of the ACL information
The getfacl program fails to display all of the ACL information
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: acl (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Depends On:
Blocks: RHEL4U4Audit 176344
  Show dependency treegraph
Reported: 2005-11-14 14:40 EST by Paul Moore
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2007-0176
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 13:35:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch from Klaus Weidner <klaus@atsec.com> (1.00 KB, patch)
2005-11-14 14:40 EST, Paul Moore
no flags Details | Diff
updated patch that applies to current upstream / rhel5beta version (1.58 KB, patch)
2007-01-29 13:13 EST, Klaus Weidner
no flags Details | Diff

  None (edit)
Description Paul Moore 2005-11-14 14:40:31 EST
Description of problem:
The getfacl program does not display ACL information for all files/links in a

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. mkdir dir
2. touch dir/mydata
3. ln -s dir link
4. getfacl -dR .
Actual results:
 # file: .
 # owner: root
 # group: root

 # file: link
 # owner: root
 # group: root

 # file: link/mydata
 # owner: root
 # group: root 

Expected results:
ACL information for both 'dir' and 'link' would be displayed.

Additional info:
Below is an explanation from Klaus Weidner <klaus@atsec.com> as well as a patch
(attached to this bug):

"The effect depends on the low-level ordering of entries in the directory,
use "ls -U" to show that order. getfacl uses the first entry found.
You get the documented result if you create the link after the directory
in a freshly created directory. 

It's not security relevant since the underlying system calls do work
correctly, and the bug shouldn't have much real world impact other than
confusing this specific test case. You can try adding the -P or -L flags
in the test case to get consistent behavior, or make sure to always start
with a freshly created directory."
Comment 1 Paul Moore 2005-11-14 14:40:31 EST
Created attachment 121037 [details]
Patch from Klaus Weidner <klaus@atsec.com>
Comment 6 Steve Grubb 2006-06-26 10:54:31 EDT
Thomas, have you ever pushed this patch into FC? Seems like it could get some
testing there to make sure there are no unintended side effects.
Comment 7 Thomas Woerner 2006-08-01 11:02:22 EDT
Nope, not yet.
Comment 8 RHEL Product and Program Management 2006-08-18 13:01:46 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 9 Klaus Heinrich Kiwi 2007-01-22 13:21:49 EST
When testing the above testcase against RHEL5 beta2 snaphot 5, the results are a
bit different from what I thought:

[root@alex test]# getfacl -dRL .
# file: .
# owner: root
# group: root

# file: dir
# owner: root
# group: root

# file: dir/mydata
# owner: root
# group: root

[root@alex test]# ls -lR
total 12
drwxr-xr-x 2 root root 4096 Jan 22 09:09 dir
lrwxrwxrwx 1 root root    3 Jan 22 09:10 link -> dir

total 4
-rw-r--r-- 1 root root 0 Jan 22 09:09 mydata

I thought that we would get info about all files (including links) when querying
with 'getfacl -dRL .'

Any news on this?
Comment 10 Klaus Weidner 2007-01-29 13:13:46 EST
Created attachment 146845 [details]
updated patch that applies to current upstream / rhel5beta version

I think the new behavior is still broken. The attached patch restores the
behavior according to the old patch I had submitted.
Comment 11 Paul Moore 2007-01-31 07:58:27 EST
I see this was just changed to "MODIFIED" - what does that mean?
Comment 13 Klaus Weidner 2007-03-08 10:21:28 EST
Please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223840 - a new
package containing a patch is available:

Comment 16 Red Hat Bugzilla 2007-05-01 13:35:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.