whyno acl check

layer 5: posix.1e acl evaluation — userobj, named user, group, other with mask

system rustpermissionslinuxsecurity

components

  • process check_acl(state)

    posix.1e acl evaluation: userobj, named user, group, other with mask

    posix_acl_permissionfs/posix_acl.c
  • decision operation?

    stat and metadata ops need no acl check, delete/create evaluate parent, others evaluate target

  • pass pass: no acl check

    stat and metadata operations bypass acl evaluation entirely

  • process evaluate parent acl

    delete and create evaluate the parent directory's acl

  • process evaluate target acl

    read, write, and execute evaluate the target's acl

  • decision acl probed?

    checks if the acl was successfully read via getxattr

  • degraded degraded

    acl data returned unknown or inaccessible — cannot evaluate

  • decision extended entries exist?

    checks if the acl has entries beyond the base three (user, group, other)

  • pass pass: base acl only

    no extended acl entries — dac layer already covered base permissions

  • decision stat available?

    stat data needed to determine file ownership for acl evaluation

  • degraded degraded

    cannot evaluate acl without stat data

  • process posix.1e evaluation

    runs the full posix.1e acl matching algorithm in priority order

  • decision uid == file owner?

    first acl check: does the subject match the file owner?

  • decision userobj grants needed?

    checks if the userobj acl entry grants the requested permission

  • pass pass: userobj

    file owner is granted permission by the userobj entry

  • fail fail: userobj denies

    file owner is explicitly denied by the userobj entry

  • decision named user match?

    checks if the subject matches any named user acl entry

  • decision effective perms grant needed?

    named user permission is masked with the acl mask entry

  • pass pass: named user

    named user entry grants permission after masking

  • fail fail: named user denies

    named user entry does not grant permission after masking

  • decision any group match?

    checks owning group and all named group entries in the acl

  • decision best group effective grants?

    uses the most permissive matching group entry, masked with acl mask

  • pass pass: group match

    a matching group entry grants permission after masking

  • fail fail: group denies

    no matching group entry grants permission after masking

  • decision other grants needed?

    fallback: checks the other acl entry

  • pass pass: other

    other entry grants the requested permission

  • fail fail: other denies

    other entry does not grant the requested permission