/bin/chmod: Setting/Removing of ACL-Directives on Symbolic Links Unsuppoerted

Originator:daniel
Number:rdar://8806385 Date Originated:26-Dec-2010 06:51 PM
Status:open Resolved:
Product:Mac OS X Product Version:10.6.5
Classification:Security Reproducible:always
 
Summary:
On the command-line, it is impossible to set or remove ACL-entries on a symbolic link (symlink).
This can become a problem, if you have a directory with additional ACL-entries and apply the permissions of this directory to it's contents through the "Get Info"-panel: If there are symlinks within this directory, they are applied this ACL, which _cannot be removed_ through normal means later.

Steps to Reproduce:
0. Assume you are logged into the account "someuser" and there exists an account "someotheruser" as well
(In the shell:)
1. mkdir /tmp/acl_symlink_test && cd /tmp/acl_symlink_test
2. touch testfile && ln -s testfile link_to_file
3. chmod +a "someotheruser allow write" .
4. open /tmp
(In the Finder:)
5. select the "acl_symlink_test" folder and "Get Info"
6. authenticate as an admin-user and select the apply-to-all-subfolders-option from the gear-menu
(back in the shell:)
7. chmod -h -a# 0 /tmp/acl_symlink_test/link_to_file
8. ls -le /tmp/acl_symlink_test

Expected Results:
Step 8. outputs something like:
    total 8
    lrwxr-xr-x+ 1 someuser  wheel  8 26 Dez 18:12 link_to_file -> testfile
    -rw-r--r--  1 someuser  wheel  0 26 Dez 18:12 testfile
     0: user:someotheruser allow write
(I.e. the ACL is removed from the *symlink itself*.)

Actual Results:
Step 8. outputs something like:
    total 8
    lrwxr-xr-x+ 1 someuser  wheel  8 26 Dez 18:12 link_to_file -> testfile
     0: user:someotheruser allow write
    -rw-r--r--  1 someuser  wheel  0 26 Dez 18:12 testfile
(I.e. the "-h" option is ignored and instead of the symlink, the *link-target* is modified.)

Regression:
Unknown, but the age of [1] suggests, that it dates back to whichever version of 10.5 was current in early 2009.
Actually, it seems like the underlying issue is even older as the discussion [2] suggests (which dates back to 2008).

Notes:
According to [1] this is a known bug already filed under rdar://problem/6264303 some 20 months ago and marked as a duplicate of rdar://problem/5684438.
The author of [1] — back then — was kind enough to post a patch for chmod, which can be found under [3].

[1] http://0xced.blogspot.com/2009/03/chmod-acl-and-symbolic-links_23.html
[2] http://discussions.apple.com/thread.jspa?threadID=1440377&start=0&tstart=0
[3] http://pitaya.ch/radar/6264303/chmod.patch

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!