[RHEL 7] Can't apply ACL on RHEL 7

[mdeguzis]

Given this example below for RHEL 7, I am unsure what is causing this invalid argument. I am using pylibacl.x86_64 0.5.1-4.el7.

getfacl /home/mdeguzis/test.txt
# file: test.txt
# owner: mdeguzis
# group: mdeguzis
user::rwx
group::rw
other::r--

Test

python
>>> import posix1e
>>> b = posix1e.ACL(text="u:user2:rwx,g:group2:r,o::-")
>>>b
<posix1e.ACL object at 0x7fe6fe8bc290>
>>> b.applyto("/home/mdeguzis/test.txt")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
IOError: [Errno 22] Invalid argument

[mdeguzis]

This must be due to the format of the acl text I am feeding it, as your example in the docs works

Works:

b = posix1e.ACL(text="u::rx,g::-,o::-")

print b
user::r-x
group::---
other::---

Does not work

b = posix1e.ACL(text="u:user_prod:rwx,g:user_prod::rwx,o::-")

print b
user:user_prod:rwx
group:user_prod:rwx
other::rwx

[mdeguzis]

This is an example of what the module expects as valid. Please add this to your Sphinx documentation as an example for user/group modification and add a section / modify one to include an explanation.

>>> b = posix1e.ACL(text="u::rwx,g::-,o::-,m::rwx,u:user1:rwx")
>>> b.valid()
True
>>> b.applyto("/home/user1/file.txt")

It seems the mask is required when specifying entries for specific users. It's expected to be after 'others'.

[iustin]

Technically speaking, it is not what my module supports/expects, but what the system accepts. setfacl does an automatic recalculation of the mask (unless one prevents it via --no-mask/-n) if missing.

Not sure whether it's a good idea to document the specific OS behaviour in this package's documentation; at most, to add a note that the effective behaviour needs to match what the system expects.

[mdeguzis]

understood. is the documentation back up now?

[tirolerstefan]

Searched for the same solution to set a default permission for a group only. Thanks for this thread, otherwise I wouldn't have a chance to find out how to do this!