Can we get a more up to date / feature complete version of the acl package?

setfacl for a while now has supported for the +X (capital X) flag. From the man page:

The perms field is a combination of characters that indicate the permissions: read (r), write (w), execute (x), execute only if the file is a directory or already has execute permission for some user (X).

The version OpenSUSE ships with doesn’t have this functionality which imo is odd, because if I do:

setfacl --version
setfacl 2.3.2

Setfacl should be new enough, according to this Stackoverflow comment:

My version of setfacl allows X exactly like you want, e.g.:

setfacl g:mygroup:rwX

$ setfacl --version
setfacl 2.2.49

Is there any way we can get the more feature complete version? It would enhance security. I’m not sure where it’s found. Maybe the Debian distros have a link to it.

You forgot to show the actual error or any other evidence of the problem.

My bad! Here’s an example of it:

sudo setfacl -R -m g::r,o::- /var/lib/docker/

sudo ls -l
total 716
-rwxr----- 1 root root 78223 Jul 31 19:29 2024-07-19_:SPX.parquet
-rwxr----- 1 root root 77557 Jul 31 19:29 2024-07-22_:SPX.parquet
-rwxr----- 1 root root 83292 Jul 31 19:29 2024-07-23_:SPX.parquet
-rwxr----- 1 root root 77592 Jul 31 19:29 2024-07-24_:SPX.parquet
-rwxr----- 1 root root 78027 Jul 31 19:29 2024-07-25_:SPX.parquet
-rwxr----- 1 root root 78212 Jul 31 19:29 2024-07-26_:SPX.parquet
-rwxr----- 1 root root 78788 Jul 31 19:29 2024-07-29_:SPX.parquet
-rwxr----- 1 root root 83943 Jul 31 19:29 2024-07-30_:SPX.parquet
-rwxr----- 1 root root 77800 Jul 31 19:29 2024-07-31_:SPX.parquet

sudo setfacl -R -m g::rX,o::- /var/lib/docker/

-rwxr-x--- 1 root root 78223 Jul 31 19:29 2024-07-19_:SPX.parquet
-rwxr-x--- 1 root root 77557 Jul 31 19:29 2024-07-22_:SPX.parquet
-rwxr-x--- 1 root root 83292 Jul 31 19:29 2024-07-23_:SPX.parquet
-rwxr-x--- 1 root root 77592 Jul 31 19:29 2024-07-24_:SPX.parquet
-rwxr-x--- 1 root root 78027 Jul 31 19:29 2024-07-25_:SPX.parquet
-rwxr-x--- 1 root root 78212 Jul 31 19:29 2024-07-26_:SPX.parquet
-rwxr-x--- 1 root root 78788 Jul 31 19:29 2024-07-29_:SPX.parquet
-rwxr-x--- 1 root root 83943 Jul 31 19:29 2024-07-30_:SPX.parquet
-rwxr-x--- 1 root root 77800 Jul 31 19:29 2024-07-31_:SPX.parquet

The capital X means only give a +x on directories, not files, except in very old versions of setfacl.

Also for further proof:
sudo getfacl .

# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::---

If I do man setfacl and search for " execute only if the file is a directory or already has execute permission for some user" it doesn’t appear, implying the version of setfacl on the OpenSUSE distro is old enough to lack this feature.

You are mistaken.

Do you have link to a project release notes, NEWS, README, commit or anything that proves it?

It is there. Searching for such long sentence can easily fail e.g. because it is wrapped.

Besides, this sentence directly contradicts to “only on directories”. If you are aware of what X does, then I do not no understand the problem at all. Your example invocation does exactly what is described in the man page - it sets x bit because file “already has execute permission for some user”.

Do you have link to a project release notes, NEWS, README, commit or anything that proves it?

The quote with the link at the top in the first comment at the top of the chain is just what you’re asking for. For further proof: https://linux.die.net/man/1/setfacl You can ctrl+f for “execute only if the file is a directory”.

Your claim was that in the “current” version of setfacl the X is only applied to directories, not files. Your “proof link” says exactly the opposite. At which point I give up.

“execute only if the file is a directory”

How does “execute only if directory” mean the exact opposite?

You stubbornly ignore the second part of this sentence. Which you yourself quoted, so it is not that you are not even aware of it.

only if the file is + compound logical statement

Compound statement is “A(directory) or B(has executable permission)” here, so it works as it supposed to be.
(note on “file” concept in unix: anything exposed through the filesystem name space is called a file, it can be ordinary files, directories, pipes, sockets, etc.)

However in everyday speaking a phrase like “set x bit recursively” usually means don’t touch ordinary files without x.
In this cases X (execute/search) is comfy, for example

% tree -p         
[drwx------]  .
└── [drwx------]  dir
    ├── [-rwx------]  app
    ├── [-rw-------]  file
    └── [drwx------]  subdir

% chmod -R a+rX . 
% tree -p        
[drwxr-xr-x]  .
└── [drwxr-xr-x]  dir
    ├── [-rwxr-xr-x]  app
    ├── [-rw-r--r--]  file
    └── [drwxr-xr-x]  subdir

% chmod -R go-rX .
% tree -p         
[drwx------]  .
└── [drwx------]  dir
    ├── [-rwx------]  app
    ├── [-rw-------]  file
    └── [drwx------]  subdir

Oh I see! Thanks for clarifying. It does work as intended. If I change

sudo ls -l
total 716
-rwxr----- 1 root root 78223 Jul 31 19:29 2024-07-19_:SPX.parquet
-rwxr----- 1 root root 77557 Jul 31 19:29 2024-07-22_:SPX.parquet
-rwxr----- 1 root root 83292 Jul 31 19:29 2024-07-23_:SPX.parquet
-rwxr----- 1 root root 77592 Jul 31 19:29 2024-07-24_:SPX.parquet
-rwxr----- 1 root root 78027 Jul 31 19:29 2024-07-25_:SPX.parquet
-rwxr----- 1 root root 78212 Jul 31 19:29 2024-07-26_:SPX.parquet
-rwxr----- 1 root root 78788 Jul 31 19:29 2024-07-29_:SPX.parquet
-rwxr----- 1 root root 83943 Jul 31 19:29 2024-07-30_:SPX.parquet
-rwxr----- 1 root root 77800 Jul 31 19:29 2024-07-31_:SPX.parquet

To:

sudo ls -l
total 716
-rw------- 1 root root 78223 Jul 31 19:29 2024-07-19_:SPX.parquet
-rw------- 1 root root 77557 Jul 31 19:29 2024-07-22_:SPX.parquet
-rw------- 1 root root 83292 Jul 31 19:29 2024-07-23_:SPX.parquet
-rw------- 1 root root 77592 Jul 31 19:29 2024-07-24_:SPX.parquet
-rw------- 1 root root 78027 Jul 31 19:29 2024-07-25_:SPX.parquet
-rw------- 1 root root 78212 Jul 31 19:29 2024-07-26_:SPX.parquet
-rw------- 1 root root 78788 Jul 31 19:29 2024-07-29_:SPX.parquet
-rw------- 1 root root 83943 Jul 31 19:29 2024-07-30_:SPX.parquet
-rw------- 1 root root 77800 Jul 31 19:29 2024-07-31_:SPX.parquet

Then I run sudo setfacl -R -m g::rX,o::- /var/lib/docker/

sudo ls -l
total 716
-rw-r----- 1 root root 78223 Jul 31 19:29 2024-07-19_:SPX.parquet
-rw-r----- 1 root root 77557 Jul 31 19:29 2024-07-22_:SPX.parquet
-rw-r----- 1 root root 83292 Jul 31 19:29 2024-07-23_:SPX.parquet
-rw-r----- 1 root root 77592 Jul 31 19:29 2024-07-24_:SPX.parquet
-rw-r----- 1 root root 78027 Jul 31 19:29 2024-07-25_:SPX.parquet
-rw-r----- 1 root root 78212 Jul 31 19:29 2024-07-26_:SPX.parquet
-rw-r----- 1 root root 78788 Jul 31 19:29 2024-07-29_:SPX.parquet
-rw-r----- 1 root root 83943 Jul 31 19:29 2024-07-30_:SPX.parquet
-rw-r----- 1 root root 77800 Jul 31 19:29 2024-07-31_:SPX.parquet

No more +x!

I interpreted “or already has execute permission for some user” as " or already has execute permission" as in, don’t remove +x if it already exists, missing the user part at the end of the sentence.

It does work as intended. The man page on my machine doesn’t line up with the man pages online, so from that I assumed it lacked the feature.

I hope I haven’t been too much of a burden for you guys. Thanks for helping out.

1 Like

Welcome

Sometimes those pages are written like for robots with no practical examples, and I also often can misread smth, but testing out make it a bit clearer

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.