Article ID: 117577, created on Sep 30, 2013, last review on Apr 29, 2014

  • Applies to:
  • Virtuozzo containers for Linux

Symptoms

There is a wrong behaviour for ACL permissions inside container based on VZFS filesystem. By default ACL umask should not be set if parent directory already has ACL set, but it does not work inside container. See below examples.

Correct behaviour:

node# mkdir /vz/acltest
node# cd /vz/acltest
node# setfacl -dm u::rwx,g::rwx,o::rwx,m::rwx .
node# umask 000 && mkdir test000
node# umask 077 && mkdir test077
node# getfacl test*
# file: test000
# owner: root
# group: root
user::rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

# file: test077
# owner: root
# group: root
user::rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

Wrong behaviour inside container:

ct# mkdir /acltest
ct# cd /acltest
ct# setfacl -dm u::rwx,g::rwx,o::rwx,m::rwx .
ct# umask 000 && mkdir test000
ct# umask 077 && mkdir test077
ct# getfacl test*
# file: test000
# owner: root
# group: root
user::rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

# file: test077
# owner: root
# group: root
user::rwx
group::rwx          #effective:---
mask::---
other::---
default:user::rwx
default:group::rwx
default:mask::rwx
default:other::rwx

Cause

There is an issue with id PCLIN-31394

Resolution

The issue is fixed in last update for PVC 4.7, so just update your software with vzup2date utility.

For previous versions there is a workaround: you can change default umask to comply with the default ACL settings required in the container.

NOTE: this issue is related to VZFS filesystem only, it cannot be experienced with ploop file system.

Search Words

acl

e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f

Email subscription for changes to this article
Save as PDF