phing icon indicating copy to clipboard operation
phing copied to clipboard

Published 20 hours ago verified publisher icon phingofficial

DeleteTask not working with ACLs

Open ogmueller opened this issue 5 years ago • 8 comments

We are using file access control lists (ACLs) on our Linux systems because otherwise, we are not able to delete web server created files (e.g. caches or session files) with a non-root CLI script.

Example: we use setfacl on our cache directory like setfacl -R -m u:www-data:rwX -m u:some-user:rwX cache

If the web server (www-data) is creating files in that folder, it looks like this

$ ll cache/
total 556
drwxrwxrwx+ 1 www-data www-data 11026 Jul  3 09:37 ./
drwxrwxrwx+ 1 www-data www-data    16 Jul  3 09:18 ../
-rw-------+ 1 www-data www-data   796 Jul  3 08:52 some_file

or with getfacl cache/some_file like this

$ getfacl cache/some_file
# file: some_file
# owner: www-data
# group: www-data
user::rw-
user:www-data:rwx		#effective:---
user:some-user:rwx		#effective:---
group::rwx			#effective:---
mask::---
other::---

Currently those files cannot be delete using DeleteTask like

<delete includeemptydirs="true">
  <fileset dir="cache/">
    <include name="**/*" />
  </fileset>
</delete>

even though some-user is able to delete those files on the console. The only unusual thing is just, that the console is confirming the removal, if rm is used without -f option

$ rm cache/some_file
rm: remove write-protected regular file 'cache/some_file'?

Alternatively you could also use rm -f cache/some_file to aviod the confirmation and the file is removed immediately.

Would it be possible to enable DeleteTask to delete ACLs (unprotected) files as well? Maybe with an attribute to "force" the delete? (force = true, default = false)

ogmueller avatar Jul 03 '19 12:07 ogmueller

@ogmueller I like your idea and we should support acl on other tasks (i.e. mkdir task) as well, but we also have to respect windows support. Any ideas?

siad007 avatar Aug 10 '19 09:08 siad007

I would like to help, but I have no Windows server at my disposal nor deep knowledge about this topic. As far as I know Windows is using icacls, which are an equivalent to *nix ACLs.

There is a github project dealing with windows permissions (https://github.com/stevebauman/WinPerm)

ogmueller avatar Aug 15 '19 08:08 ogmueller

@ogmueller: What is the output of getfacl cache? When deleting a file, you actually need a write permission for the directory in which the file is stored. Missing write permissions for the file itself only causes rm command to ask if you really want to delete the file. But unlink() PHP function does not care about the permissions of the file itself.

sustmi avatar Oct 01 '19 16:10 sustmi

Also, please note that you should look at "effective" permissions. Those are the permissions that are actually checked. In your example, the file cache/some_file has ACLs:

user:some-user:rwx		#effective:---
mask::---

This says that user some-user has assigned rwx but because all of these permissions are masked, the effective permissions are none.

If you look into the manpage of acl you can see that:

If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry.

What this says is that when you use ACLs, the mask is equal to the standard pemissions for the group. That means, that you can set the mask to rwx either by: setfacl -m mask:rwx some_file or chmod g=rwx some_file

The problem comes when some code is unaware of existence of ACLs and changes group permissions which actually changes the mask and also the effective permissions of ACLs.

sustmi avatar Oct 01 '19 16:10 sustmi 

$ getfacl cache/

# file: cache/
# owner: jenkins
# group: jenkins
user::rwx
user:www-data:rwx
user:jenkins:rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:user:www-data:rwx
default:user:jenkins:rwx
default:group::rwx
default:mask::rwx
default:other::rwx

ogmueller avatar Oct 06 '19 14:10 ogmueller

Sorry for not responding earlier. So in this situation (I am referring to the output of getfacl cache/ command) you cannot delete a file inside the cache directory using:

<delete includeemptydirs="true">
  <fileset dir="cache/">
    <include name="**/*" />
  </fileset>
</delete>

?

Under what user do you run Phing?

I have just created a cache directory as root:

$ sudo mkdir cache
$ sudo setfacl -m u:myuser:rwX -m default:u:myuser:rwX cache/
$ getfacl cache/
# file: cache/
# owner: root
# group: root
user::rwx
user:myuser:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:myuser:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Then I created a file inside this directory - still as root:

$ sudo touch cache/test
$ getfacl cache/test 
# file: cache/test
# owner: root
# group: root
user::rw-
user:mirek:rwx			#effective:rw-
group::r-x			#effective:r--
mask::rw-
other::r--

When I run a target containing the above <delete> task, it works:

Buildfile: /path-to-my-project/build.xml
 [property] Loading /path-to-my-project/build/build.local.properties

My Project > mytarget:

   [delete] Deleting 1 files from cache

BUILD FINISHED

Total time: 0.0920 seconds

And the file gets deleted:

ls -la cache/
celkem 16
drwxrwxr-x+  2 root root 4096 15. lis 12.00 .
drwxrwxr-x+ 19 root root 4096 15. lis 11.55 ..

I can even zero the mask before deleting the file and Phing still deletes it:

setfacl mask::0 cache/test

What is your output/error when you run the Phing task? And what files are left not deleted (what permissions do they have)?

sustmi avatar Nov 15 '19 11:11 sustmi

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar May 13 '20 12:05 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 09 '22 06:01 stale[bot]