Lab 6.3 - ACLs - Wrong solution, misunderstanding or typo?

valande

Hi, it's Pablo, evolving throw the LFS203 course learning.
Hope you all are well.

I got confused with the lab 6.3 while following the solution procedure I obtain different results.
As you can see later in the outputs, they do not correspond to what is shown in the LAB.

Here is the output of the terminals I used (usernames are my dogs' names ^^):

Steps 1 to 4:

Terminal 1 (user "mago"):

[mago@centos9 test]$ echo "This is a file" > afile
[mago@centos9 test]$ getfacl afile

file: afile

owner: mago

group: mago

user::rw-
group::r--
other::r--

[mago@centos9 test]$ setfacl -m u:kio:rw afile
[mago@centos9 test]$ getfacl afile

file: afile

owner: mago

group: mago

user::rw-
user:kio:rw-
group::r--
mask::rw-
other::r--

Terminal 2 (user kio):

[kio@centos9 test]$ ls -alrt
total 8
drwxrwxrwt. 19 root root 4096 mar 18 08:39 ..
-rw-r--r--. 1 mago mago 15 mar 18 08:40 afile
drwxr-xr-x. 2 mago mago 19 mar 18 08:40 .
[kio@centos9 test]$ echo "another line" >> afile

(It is all ok until here)

Step 5:

Terminal 1 (user "mago"):

[mago@centos9 test]$ setfacl -m u:kio:w afile
[mago@centos9 test]$ getfacl afile

file: afile

owner: mago

group: mago

user::rw-
user:kio:-w-
group::r--
mask::rw-
other::r--

[mago@centos9 test]$

Terminal 2 (user kio):

[kio@centos9 test]$ echo "another line" >> afile
[kio@centos9 test]$

Step 6 (added by myself):

Terminal 1 (user "mago"):

[mago@centos9 test]$ cat afile
This is a file
another line
another line
[mago@centos9 test]$ getfacl afile

file: afile

owner: mago

group: mago

user::rw-
user:kio:-w-
group::r--
mask::rw-
other::r--

Terminal 2 (user kio):

[kio@centos9 test]$ cat afile
cat: afile: Permiso denegado
[kio@centos9 test]$ echo "another line" >> afile
[kio@centos9 test]$

---

This makes me getting confused about ACLs, but I really think there is something wrong with the outputs shown in the LAB solution because of the solution shown here by me is very logical when following the Linux convention about file permissions:

owner can write and read the file.
"kio" can write to "afile", but can't read from it.

---

Let me know what you think about, please.
Thanks in advance for your replies.

Kind regards,
Pablo.

luisviveropena

Hi Pablo,

I went through Lab 6.3 on CentOS Stream 10 and it worked for me. I also see in your outputs it worked for you as well.

On item 5 we removed the read permission over the file 'afile', so you can write on it but you can't read it -you can't 'cat' it, right? This is for examples only, for showing what you can do with the tool; perhaps you got confused on the application of this?

Regards,
Luis.

valande

Hi Luis, thanks for your reply.

I tested the lab on Centos 9, inside /tmp/test directory, but I don't think is a matter of the machine, I really think there is a mistake in the outputs shown by the solution.

What I am trying to explain is that the command "setfacl -m u:fool:w /tmp/afile" is still giving +w permission to fool user (as noted in the line "user:kio:-w-" of my first post), so the last message about "Permission denied" (bold line) is not truly occuring, for me at least.

The solution's text shows the following:

In window 1:
\$ setfacl -m u:fool:rw /tmp/afile
\$ getfacl /tmp/afile
getfacl: Removing leading '/' from absolute path names
# file: tmp/afile
# owner: coop
# group: coop
user::rw-
user:fool:rw-
group::rw-
mask::rwx
other::r--

In window 2:
$ echo another line > /tmp/afile
5. In window 1:
$ setfacl -m u:fool:w /tmp/afile

In window 2:
$ echo another line > /tmp/afile
-bash: /tmp/afile: Permission denied
\$ rm /tmp/afile
\$ sudo userdel -r fool

Sorry if I am wrong, and thanks a lot for your time.

Kind regards,
Pablo.

luisviveropena

Hi Pablo,

I get it now. In my case I'm using these two users:

1) luis.
2) eduardo.

3) So, I ran 'setfacl -m u:eduardo:w /tmp/afile' and it got like this:

luis@centoserver:/tmp$ getfacl afile

file: afile

owner: luis

group: luis

user::rw-
user:eduardo:-w-
group::r--
mask::rw-
other::r--

So the 'eduardo' user can write but not read, right? That's what make sense here.

In the 'eduardo' 's terminal it should file reading the file and should work to write on it:

eduardo@centoserver:/tmp$ cat afile
cat: afile: Permission denied

eduardo@centoserver:/tmp$ echo another line > /tmp/afile

So try that in your system, please. I hope it make sense now!

Regards,
Luis.

valande

Hi Luis,

I totally agree with you, sorry if I could not explain it well.

Anyway, just to clarify things, what we are in agreement to is different to what lab solution shows.
In the document I read the following at the end ot the solution:

In window 1:
$ setfacl -m u:fool:w /tmp/afile

In window 2:
$ echo another line > /tmp/afile
-bash: /tmp/afile: Permission denied
$ rm /tmp/afile
$ sudo userdel -r fool

So, the "echo anocher line > /tmp/afile" should work, as you explained before, being it different to "cat /tmp/afile" (which should not work and through "permission denied")

Best regards,
Pablo.

luisviveropena

Hi Pablo,

Yes, that's correct. I'll inform the team about this so we can correct it.

Say 'hi' from me to Mago and Kio

Luis.