4

This is the question I faced in an interview as a system administrator.

If we didn't set the mask value, what is the default value of mask?

I was thinking that if we didn't set the mask, it should be the rwx, right?

For example: 

> touch testfile
> getfacl testfile
# file: testfile
# owner: chenicha
# group: csgrad
user::rw-
group::r--
other::r--

Even if it didn't state the status of mask, but I assume it should be rwx, right?

rj487
  • 143
  • 5
  • BTW, since this question involves information security and Linux. I am not sure this is the correct place I ask. – rj487 Oct 13 '18 at 20:08
  • If a child process (like a shell) is created the umask is inherited from the parent process. And many shell profiles set the umask. So what umask you have if you don't explicitly set one depends on your current context and maybe also the specific setup of your system (which might depend on the vendor or your local administrator). Maybe your question is missing context to answer? – Steffen Ullrich Oct 13 '18 at 20:21
  • Yeah, I am actually not familiar with all of the steps. That makes the interview a little bit awkward. So the default mask will be determined by the current user who create the file? – rj487 Oct 13 '18 at 20:37
  • The current umask depends on the environment of the user. It is often set in the rc files when logging in. For example normal users often have a umask of 002 set in their shell so that the data can be shared within the group. system users instead often have the more restrictive 022. But the systems might also be setup differently. – Steffen Ullrich Oct 13 '18 at 20:43
  • How about you answer the question and give some example? I will pick you as the best answer. – rj487 Oct 14 '18 at 02:28

1 Answers1

1

If you don't apply any kind of ACL then there will be no need for a mask. According to the this,

The mask entry is automatically created when needed but not provided.

And according to this if you use minimal ACL then no mask will be added.

 [arif@arif blabla]$ ls -ldha .
 drwxrwxr-x. 2 arif arif 4.0K Oct 17 06:13 .
 [arif@arif blabla]$ getfacl --omit-header .
 user::rwx
 group::rwx
 other::r-x

[arif@arif blabla]$ chmod g-wx .
[arif@arif blabla]$ getfacl --omit-header .
user::rwx
group::r--
other::r-x

[arif@arif blabla]$ setfacl -m g::rw .
[arif@arif blabla]$ getfacl --omit-header .
user::rwx
group::rw-
other::r--

According to this,

Extended ACLs also contain a mask entry and may contain any number of named user and named group entries.

So now, we will use extended ACL which results group class permissions mapped to the mask entry because as mentioned here,

In minimal ACLs, the group class permissions are identical to the owning group permissions. In extended ACLs, the group class may contain entries for additional users or groups. This results in a problem: some of these additional entries may contain permissions that are not contained in the owning group entry, so the owning group entry permissions may differ from the group class permissions.

This problem is solved by the virtue of the mask entry. With minimal ACLs, the group class permissions map to the owning group entry permissions. With extended ACLs, the group class permissions map to the mask entry permissions, whereas the owning group entry still defines the owning group permissions.

[arif@arif blabla]$ setfacl -m g:wheel:rw .
[arif@arif blabla]$ getfacl --omit-header .
user::rwx
group::rw-
group:wheel:rw-
mask::rw-
other::r--

Here, you can see that the value of group class permission is mapped to the mask despite of defining any specific mask. And this mapping approach ensures the smooth interaction of applications, regardless of whether they have ACL support. The reason for using group class permission bits as mask is described in the TRUSIX documentation as follows,

The file group class permission bits are the preferred masking field, even though they encourage permissive default access by the owning group. This choice must be made because the use of the file owner class would cause compatibility problems in programs which attempt to establish "owner-only" access, whereas the designation of the file other class could leave objects open to attack were an ACL removed or never present. An additional option of masking user entries with the file owner class permission bits and group entries with the file group class permission bits has the same disadvantages as masking against only the file owner class.

So I believe you could have said that the default value of mask is same as the group class permission value.

Community
  • 1
arif
  • 1,088
  • 13
  • 24