Community
Participate
Working Groups
We discovered an issue with our "final bits" for Indigo SR1, and while investigating, it appears there are permission problems in /shared/webtools/ Specifically, 'canderson' could not "delete' a file in our (temporary) repository Unable to remove artifact repository file: /shared/webto ols/committers/wtp-R3.3.1-M/20110914031739/M-3.3.1-20110914031739/repository/artifacts.jar Then, I logged in with my 'david_williams' id to try and see what was going on ... I had similar problems, and found I could not even write one new file to /shared/webtools/releng.control Permissions look correct ... what's up?! $ getent group webtools.releng webtools.releng:*:8566:david_williams,ndai,rsrinivasan,tle,canderson,mhutchinson,kraev $ getfacl releng.control # file: releng.control # owner: wtpBuild # group: webtools.releng # flags: -s- user::rwx group::rwx other::r-x
Well, I guess the permissions of that artifacts.jar file are not correct: $ getfacl /shared/webtools/committers/wtp-R3.3.1-M/20110914031739/M-3.3.1-20110914031739/repository/artifacts.jar getfacl: Removing leading '/' from absolute path names # file: shared/webtools/committers/wtp-R3.3.1-M/20110914031739/M-3.3.1-20110914031739/repository/artifacts.jar # owner: wtpBuild # group: webtools.releng user::rw- group::r-- other::r-- And _that_ reminds me of a discussion we had long ago, that to get acls inherited correctly, "set acl" has to be called twice, first with normal settings ... then again for defaults. Than, after that new directories and files will inherit what its parent has. So ... tell me the truth :) ... did you change this recently? I'm 90% sure /shared/webtools used to be setup correctly. As one example of "default" ACLs, see bug 354310. So, to solve ... I think you need to do this ... doubt I'd have permission ... can you add "default" ACLs to /shared/webtools and all its subdirectories?
It occurs to me, that by logging in with the 'wtpBuild' ID, that I could probably fix this myself ... I will give that I try. I'll also forward the email I found in my archives to webmasters about the last time this happened. (October of 2010) I am kind of bummed our ACLs get messed up.
Well, hope I didn't make things worse! Everything looks ok ... but, I still can't write to /shared/webtools with my 'david_williams' ID. And, now, after my changes, if I create a file with 'wtpBuild' id, it appears owned by 'wtpBuild' but group is "user" instead of "webtools.releng" as it should be. Here is the end result of what I did, what I did is below that. $ getfacl /shared/webtools/releng.control/ getfacl: Removing leading '/' from absolute path names # file: shared/webtools/releng.control/ # owner: wtpBuild # group: webtools.releng user::rwx group::rwx other::r-x default:user::rwx default:user:david_williams:rwx default:user:canderson:rwx default:group::rwx default:mask::rwx default:other::r-x Steps using wtpBuild id: First, did chmod -R ug=rwx,o=rx /shared/webtools to make sure "basics" were right. hmm ... best a need a guid bit in there? But, couldn't recall what that'd look like ? u=rwx,g=rws,o=rx ? (and couldn't find good reference, yet). Then ran following to "set defaults" setfacl -R -d -m u::rwx /shared/webtools Then, in case me, or Carl, were hitting the "16 group maximum limit", for good measure I added us both explicitly to ACL: setfacl -R -d -m u:david_williams:rwx /shared/webtools setfacl -R -d -m u:canderson:rwx /shared/webtools Now, I still can't create files there ... though sure looks like I should be able to. Did you restrict userIds with underscores in them again? :)
Ok, I think I recall ... SGID bit is the one to help with "group" ownership, and think group x should be s instead ... I tried (using wtpBuild) id find /shared/webtools -type d -exec chmod -c g+s '{}' \; and the chmod command reported it was changing them to 's' but, I don't see it afterward .... and still created files with group 'user'. Is this one of those things that takes a while to propagate through NFS files systems? (little that I understand those).
> Then, in case me, or Carl, were hitting the "16 group maximum limit", for good > measure I added us both explicitly to ACL: *sigh* That ever popular 16-group limit. I'm purposely avoiding patching the kernel on build since maintaining a patched kernel is time consuming. > setfacl -R -d -m u:david_williams:rwx /shared/webtools > setfacl -R -d -m u:canderson:rwx /shared/webtools > > Now, I still can't create files there ... -d means "default for new files". I always run setfacl in 2 steps: one for the -d efault and one that actually sais "gimme access" So re-run your setfacl commands without the -d and you should be all set.
FWIW, your ACL-foo impresses me.
> > So re-run your setfacl commands without the -d and you should be all set. Ok ... I ('david_williams') can write again. But, files still not created with correct 'webtools.releng' group, and won't let me ('wtpBuild') set GSID ... change 'g' back to rws ... just rwx. I've tried several ways, including numeric! (2775) My guess is that is it because 'wtpBuild' is not a member of "webtools.releng". Or ... is is that ACL needs to be changed to 's' first? So ... can root set SGID for us? for all directories in /shared/webtools
(In reply to comment #7) > > So ... can root set SGID for us? for all directories in /shared/webtools This appears to have been done. Thank you.
