ACL Bug?

Similar Messages

• Finder's Nasty Inherited ACL Bug (aka Error -41)

  CNET, MacFixit, and a few other technical blogs recently reported on an apparent ACL issue which seems to have existed in OS X Snow Leopard since OS X 10.6.0, but has gotten particularly bad in OS X 10.6.5, 10.6.6, and 10.6.7 (both client and server versions). The symptom is that when inherited ACLs are present in an OS X 10.6.x system, it's possible to overflow the ACLs with "crud" (unwarranted extraneous ACEs) by performing simply copy / clone operations in the Finder, AppleScript and other "Finder-like" programs that can eventually overflow the 128 entry limit per ACL.
  In reading the original posters postings (www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error-41/ and openradar.appspot.com/9160099) I got really worried about our production OS X servers, but after some experimentation discovered a happy accident: it’s quite easy to overflow ACLs when performing repeated copy or duplicate operations on folder hierarchies on locally attached filesystems (whether attached on a client or server), but in actually it's much harder to make that happen with AFP-mounted filesystems having to do with a slower growth curve of the "crud" that develops as users copy / duplicate folders.
  Since ACLs tend to be fairly rarely deployed on OS X client systems, you also don't tend to run into the problem (I point out Drop Boxes as a possible exception), but IT administrators can run into this problem quite easily when cloning fairly deep server-side folder hierarchies in the Finder on an OS X Server.
  If your users are encountering "Finder -41" errors when performing seemingly simple operations in the Finder, this type of ACL overflow may be explanation. You might want to read up on the thread developing at www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error-41/ for further details.

  This has been an ongoing issue since 10.6.5. See this thread: http://discussions.apple.com/thread.jspa?threadID=2686643&tstart=0
  The only real fix is to downgrade the clients to 10.6.4. What I've been doing is reapplying the ACL's from the server admin tool after each tape rotation. That way I'm not using up extra tapes since NetVault will back up the files again if the ACL has changed. The other thing I have some users doing is opening up the file they want to copy and doing a save as to the destination. That way doesn't seem to duplicate the permissions.

• Mac OSX Server ACL Bugs

  Hi all
  I've been configuring Mac OSX Servers for a while, but in every configuration I have seen many bugs in Access lists.
  For example, if I put a group in an access list and then I add an user to the group, the ACL is not applied to that user. I have to add it manually to the ACL.
  Is it normal? I've read the whole documentation, but no clues on what makes this happen.
  Also if I put "special" permissions into a folder (for example, anybody DENY delete this folder only) it doesn't work. The permissions is the first in the list.
  the effective permissions inspector works with the second try (I drag and drop the same folder two times and different permissions appear).
  Does anybody have issues like these?
  Thank you.

  There's not enough information to provide you with an answer....
  Please post an example of the ACL in use, and the output of an "id" command (available via Terminal.app and the shell) from the errant user; of one of the failing configurations.
  Whether there's a file server involved here can also be a potential factor; are the files involved with the ACLs being served to other hosts by (for instance) AFP or Samba/SMB/CIFS/Windows file server?
  Your forum footer also shows OS X 10.5.8, but there's a tag for 10.6 listed - more recent versions of OS X do tend to work better here - but which OS X version are you working with?

• ACLs keep coming up in repair permissions

  I run disk utility regularly - now in Lion there keep hundred of messages coming up "ACL was found but not expected", from iChat.app to CoreServices to AppleHDA.kext - Disk Utility reports fixes but obviously does not because the next time the same happens again....
  Any ideas - thanks in advance!

  Has anyone found a more permanent fix than reinstalling OSX?   Reinstalling 7.1 from the USB stick/Internet solved these permission problems for me for about three or four days, but they've started coming back.  I tried PathFinder but according to these it shares the same problem with the Finder: 
  http://openradar.appspot.com/9160099
  http://www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error -41/

• Advise about setting up a permissons on Lion server for a small office.

  What is the common wisdom and advise about setting up permissions optimally for a small office using OS X Lion Server as a file server?  I thought I had this solved by setting the ACL permissions so that all users and appropriate groups can read and write all files on the server.  This works great until a new file is created.  Then it appears that the POSIX umask kicks in and takes priority over the ACL permissions.  I need to allow group write permissions on all new files.  My options seem to be:
  Make everyone an admin - not great for obvious security reasons
  Change the umask for the whole machine - also security problems, though perhaps fewer than the everyone-an-admin route above
  Write a folder action applescript to add group write permission on all new files.  This works fine if you have a static number of folders  With new folders it has the problem: How do new folders created by non-admin users get this folder action automatically applied to them - some cronjob to hunt down the new folders; an applesscrpt folder action that adds a folder action to all new folders (sounds recursively complicated)?
  Have a cron job regularly do something like  `chmod -R 664` on all files.  This will break during those between the cracks times between when someone creates a new file and when the cronjob runs - not ideal.
  Seems like this should be easier which makes me think I'm missing something obvious.
  Any help great appreciated.  Thank you in advance!

  Good-heart's advice is certainly your first step, but if you've already done that and still have the problem you've described, you might have the 10.7.3 ACL bug, particularly if your users and groups are in an OD or AD rather than being local accounts on the server. The problem is that ACL's for directory accounts are incorrectly ignored, resulting in POSIX permissions coming into play.
  I've descibed my workaround for this here;
  https://discussions.apple.com/message/18037703
  I haven't yet tried the other trick I've read about, which is to ensure your Share's data directories are at least one level down on the volume - there is a post here on the Communities that mentions this;
  https://discussions.apple.com/message/18028746
  I seem to remember that this helped with an earlier version of AFP, if using external firewire or usb storage.
  Let us know if you find a fix, it seems a number of people have problems with this.
  Regards,
  Ian

• Speeding up migration of mailbox data

  I am getting ready to perform a migration of mailbox data from an iMS 5.2 HotFix 1.21 system to a SJS 7u2-7.02 64bit system by using imbackup on the old system and piping through rsh and imsrestore on the new system. I'm trying to get the best performance out of this. I have set noatime on all mailstore partitions and I am using a 128 blocksize but it seems pretty slow to me. The total amount of data I am transferring is ~276GB. The old system has 4 mailstore partition and the new one has a single partition. I am using backup groups as follows:
  groupa=a*
  groupb=b*
  groupc=c*
  etc..
  My plan was to run multiple iterations of the imsbackup/imsrestore at once. In my tests while multiple iterations are running (I've tried 4 so far) I don't see much CPU utilization. RAM usage is fine and there is very little %wio. I'm getting less than 20GB transferred per hour. I would expect to see more and I don't see many resources being used on either system. During my tests I only have the watcher and store daemons running.
  Does anyone have any tips on increasing the performance of this type of migration other than what I am already doing?

  sheger77 wrote:
  I am getting ready to perform a migration of mailbox data from an iMS 5.2 HotFix 1.21 system to a SJS 7u2-7.02 64bit system by using imbackup on the old system and piping through rsh and imsrestore on the new system. I'm trying to get the best performance out of this. I have set noatime on all mailstore partitions and I am using a 128 blocksize but it seems pretty slow to me.Have you set "store.dbtmpdir" to a memory mapped file-system on both the iMS5.2 and MS7u2 systems?
  You should also upgrade your MS5.2 system to the latest hotfix (iMS5.2hf2.18) to address two backup related bugs:
  bug #6525771 - "imsbackup does not backup acl"
  bug #6202176 - "imsbackup does not backup user defined flags (keywords)"
  MS7u3 will have a fix for RFE# 6669661 - "imsrestore should cache peruser flag updates" which should help to improve restore performance by reducing DB updates. You may want to wait a month or so for this release to become available.
  My plan was to run multiple iterations of the imsbackup/imsrestore at once. In my tests while multiple iterations are running (I've tried 4 so far) I don't see much CPU utilization. RAM usage is fine and there is very little %wio.Do you see much in the way of %b (block on I/O - use "iostat -x"), for example when using the same procedure on my own test systems (iMS5.2 backup => rsh pipe => MS7u2 restore) I see the following:
  extended device statistics
  device r/s w/s kr/s kw/s wait actv svc_t %w %b
  cmdk0 0.7 164.3 22.1 10519.6 0.0 0.9 5.5 0 89
  cmdk1 0.0 9.9 0.0 810.0 3.8 0.5 434.5 24 25
  The bottleneck in this case is "cmdk0" (a virtual disk).
  I'm getting less than 20GB transferred per hour. I would expect to see more and I don't see many resources being used on either system. During my tests I only have the watcher and store daemons running.Try also starting the "ens" daemon (./start-msg ens)
  Does anyone have any tips on increasing the performance of this type of migration other than what I am already doing?The main bottleneck for this procedure is I/O. If you are performing multiple simultaneous restores make sure they are destined for different LUN's (disks) so you can spread the I/O load as much as possible.
  Regards,
  Shane.

• ACL problem in 6 and 5.1 sp9? Bug?!

  Hi all gurus:
  I got this problem for several days, and still cannot solve it. Can
  anyone help me?
  My design is to put all my beans and connection pool under one "kbf"
  acl. And "guest" servlet/jsp accesses these beans by using this "kbf"
  account. And it works in 5.1 sp8.
  Then i tried to use sp9. The very first time when jsp is compiling
  by WLS, all the jsps work correctly! After that, immediately click the
  link again, it throws jndi exception. Saying "guest" no permission to
  access "kbf" jndi. But my "guest" actually is a servlet/jsp running
  inside the server.
  So then we tried to use 6 sp2, to see whether we can solve the
  problem. And the funny things come out as follows.
  I just click my URL link in browser, first time everything is fine,
  my data is shown correctly. second time it throws ACL exception ,saying
  guest no right to look up my JDBC pool. Click again, the data comes out
  again. Clieck again throws same exception. It is a "toggle".
  And, for another jsp page/link, (it gets data from two tables),
  first time both two tables data are shown. Click some other link, then
  come back to click this link, only one table data is shown, then click
  this link again, both are shown. It is also a "toggle", slightly
  different.
  Something really funny going on for this ACL!
  Can anyone in BEA tell me more about this ACL issue? Why always
  nobody cares to answer these ACL questions? Both in ejb group and
  security group?
  Or simply nobody is using ACL in their project?
  Or i missed out something important? or i am abusing ACL?
  Or is it a bug?
  Since we are going to production very soon, i need the solution
  ASAP. Right now i only have two solutions:
  1. stick to 5.1 sp8.
  2. grant "guest" permission to all my beans, connection pool, which
  means no use for the ACL at all.
  Hope someone at least give me an hint. And sorry for the crossing
  post.
  Thanks.
  minjiang

  Thanks a lot!
  The problem is that i cached the ejb homes and connection pool. So now i use
  your first solution, create context everytime, although the performance may be
  slow down.
  But strange, it works in 5.1 sp6-8.
  Thanks again, Dimitri!
  minjiang
  Dimitri Rakitine wrote:
  The security context is associated with thread so, for example:
  in a servlet, you create InitialContext as "user" and save it.
  Next request which will be "guest" anyway.
  So, if you want authentication, you can either
  - create InitialContext everytime
  - use j2ee security so container will do this automatically:
  http://e-docs.bea.com/wls/docs61/webapp/security.html
  Dimitri
  On Fri, 13 Jul 2001, minjiang wrote:
  Hi Dimitri:
  Sorry to mail you directly.
  I have this question for quite some time. And not receive any
  response for my posting, cross posting.
  Do you have any idea why my deployment works on 5.1 sp8, but not on
  sp9 and 6 sp2?
  I noticed bea changed the weblogic.ejb.interal.StatefulEJBObejct,
  and StatefulEJBCache in sp9, and this is part of why my application
  cannot work. (for one facade session bean looking up other beans in
  another acl)
  Another part is i described in the forward posting, for my "guest"
  jsp/servelt cannot access other acl?
  For my understanding, since my facade bean and jsp/servlet only run
  inside the WLS server, so as long as the correct credential is supplied
  while constructing the jndi context, they should be allowed, right? It
  shoud not be only one credential in one thread, which seems WLS is doing
  now.
  Thanks for help, and any hint or document is appreciated.
  minjiang

• Bug in Azure CLI client to update ACL

  % azure vm endpoint acl-rule create $AZURE_HOST HTTP 2 deny 0.0.0.0/0
  info: Executing command vm endpoint acl-rule create
  error: cidr part 0 should be a number in the range [1, 32] in paramater <remote-subnet>
  error: vm endpoint acl-rule create command failed
  The 0 CIDR part here is clearly valid, the web UI allows me to add it. Perhaps a bug in the CLI client?

  azure vm endpoint acl-rule
  create theorem-abeer HTTP 2
  deny 0.0.0.0/0
  is the command I used, where theorem-abeer.cloudapp.net is the command I used.
  In case it helps, I'm on Mac OSX, on Azure CLI tool 0.8.10.

• Bug in ACL creation for SJWS7 ??

  When I try to create a new ACL via the admin GUI, and I specify for an entry :
  "Only the following in the authentication database" where I select 2 groups, then the created entry gives this
  (user = "all" or group = "Internet Team","hdesk")
  So all users are accepted although in the GUI I only specified the groups. I have then to "manually" remove the user="all" and then it works.
  I guess this is a bug in the GUI ? Or am I doing something wrong ?

  This issue's already been resolved in Sun Java System Web Server 7.0 Update 1 release.
  You can download update 1 from the following url:
  http://www.sun.com/download/products.xml?id=467713d6

• ACL won't work in 10.5.4 is it a bug??

  Using a MacMini with System 10.5.4 as a simple file server for 6 persons doesn't work correctly: I made two groups: work and executive, 6 persons as sharing only (3 with access to work the others access to both groups.
  On the second partition I made the shared folders, giving them the special permissions in System Preferences, Sharing. Everithing is ok, but when I make a new document, the permissions are only for the person who made it with a wrong group (usually wheel).
  What's wrong? How can I solve the problem?
  The only solution I found for the moment was to set the flag "Ignore ownership on this volume" with the result that everybody has access to everything (for the moment it is ok, but it was really not the goal!)
  Thanks for help!
  Peter, Berne, Switzerland

  what you describe is a normal behavior for ACLs. when you enable sharing on a folder and give various rights to it to different users/grousp in system preferences->sharing, they are only applied to the folder itself, not to any of the new items in it created by various users. if you want to make it different, you need to use inherited ACLs. see this [link|http://discussions.apple.com/thread.jspa?messageID=2719139&#2719139] for instructions. skip step 3 in that link -it's not needed in leopard.
  Finally, the group on newly created fiels/folders in any folder is always inherited from the group for that folder. It must be wheel in your case for some reason. You can change it to whatever you like withg the following terminal command.
  chmod chgrp "group-name" path/to/folder
  put the name of the group you want to use in the above. The default one is staff but if you created your own group you can use that. to get path/to/folder drag that folder to the terminal window after typing
  chmod chgrp "group-name"
  make sure there is a space after "group-name"

• NTP ACL on IOS-XE (4500-X) bugged?

  Hi,
  for obvious reasons the protection of NTP servers exposed to the Internet is currently getting some reinvestigation. On a fresh 4500-X running IOS-XE 03.04.03.SG (aka 151-2.SG3) I encountered that
  access-list 12 permit x.y.z.123access-list 12 permit a.b.c.123
  access-list 12 deny   any
  ntp access-group peer 12ntp server x.y.z.123
  ntp server a.b.c.123
  will not prevent certain control queries from getting answered by the switch. For instance, ntpq peer list queries (ntpq -p device-ip) from any source still get a reply, even though the deny any ACE counter (and only that) will increment. Legitimate control queries (from the configured sources) will work as well, but increment the appropriate permittive ACE counters. On other switches (non-XE, like 4900M), the exact same configuration works as expected and denies ntpq control queries. Now those queries (there are more than just peer list queries that bypass the ACL on XE, I haven't checked all of them) aren't as dangerous an amplification tool as monlist is, but there still is amplification - and even without amplification, there's at least an information leak, if not a capability for remote control.
  Has anyone else encountered this issue? Is it present in XE generally, or specific to this platform? I don't have much hardware to test against currently
  BTW, the ACL successfully blocks pure time queries, but in the context of NTP amp attacks, they are of least concern.
  BTW^2, adding a pure deny-all ACL to the three other NTP ACL classes makes no difference - they increment counters, but answers still come back.
  TIA,
  Andre.

  I have 6 devices where the ntp access-group is not working:
  5 x ASR1002 - IOS-XE 03.07.03.S 15.2(4)S3
  1 x 4500X-32 - IOS-XE 03.04.02.SG  15.1(2)SG2
  I have a few older ASR1000's running 03.04.05.S IOS-XE 15.1(3)S5, that do not have the problem.
  Open TAC case. No resolution yet.

• ACL matching for traffic-shape...bug?

  I am using a C6503-E.
  My goal:  create a traffic-shape rule on an interface (in this case g3/7) which will restrict all traffic between two internal addresses (10.0.0.7 and 10.1.0.6) on port 2152 to 128Kbps, and allow all other traffic to pass unfettered.
  I am aware that the 6500 series ACLs are hardware based, and that some counters will not show up in the normal 'show access-list' display.
  I have created an access list which increments when tagged with a 'log' modifier, so i know that it is hit when placed on the interface, but when referenced in a traffic-shape command, the traffic is not shaped.  Unfortunately, the traffic-shape command will not allow the use of the 'log' modifier, so I'm stuck with my imperfect 'the ACL works in this scenario, but not this scenario' method.
  Extended IP access list 195
      10 permit udp host 10.0.0.7 eq 2152 host 10.1.0.6 eq 2152 log (2822 matches)
  interface GigabitEthernet3/7
   ip address 10.2.0.1 255.255.255.252
   no ip redirects
   traffic-shape group 195 128000 7936 7936 1000
                    Acc. Queue Packets   Bytes     Packets   Bytes     Shaping
  I/F               List Depth                     Delayed   Delayed   Active
  Gi3/7               195 0     0         0         0         0         no
  Any ideas on why an ACL wouldn't get hit in a traffic-shape rule, when it clearly gets hit when used strictly for access?
  Thanks!

  Please post your entire QoS config.
  Your access list is just doing matching; it is not doing any setting for your DSCP values.
  Also, I think the Polycom's are IP precedence aware and set their outgoing VC packets to 5.
  Also, matching protocol 46 (RSVP) isn't really going to help - RSVP does not transport application data. It is only used for requesting resources from the network.
  Also, a Cisco search for QoS and Polycom returns this url: http://www.cisco.com/en/US/tech/tk652/tk701/technologies_tech_note09186a0080111c1b.shtml
  -Eric

• SSL VPN Problem - ACL Parse Error

  Hi there.
  Testing some features in Cisco ASA SSL VPN(Clientless).
  But when i connect to the portal, trying to login i get the following error, anybody seen this before?
  It works if i ADD a ACL to the DAP, but dosn't if there is only a WEBACL applied??
  It also works if i remove my "check" in "ssl-client" box in the global_policy  (Group Policy).
  6|Mar 20 2014|16:45:09|716002|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> WebVPN session terminated: ACL Parse Error.
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Delete WebVPN Session message user [email protected], IP X.X.X.X to standby unit
  4|Mar 20 2014|16:45:09|716046|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> User ACL <testcustomer_attribute> from AAA dosn't exist on the device, terminating connection.
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL List message rule DAP-web-user-E4EAC90F, line 1 to standby unit
  7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL Info message DAP-web-user-E4EAC90F to standby unit
  6|Mar 20 2014|16:45:09|734001|||||DAP: User [email protected], Addr X.X.X.X, Connection Clientless: The following DAP records were selected for this connection: testcustomer_common_dap
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.tunnelgroup = common_tunnelgroup
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username2 =
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username1 = [email protected]
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username = [email protected]
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.grouppolicy = global_policy
  7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.radius["11"]["1"] = testcustomer_attribute
  6|Mar 20 2014|16:45:09|113008|||||AAA transaction status ACCEPT : user = [email protected]
  6|Mar 20 2014|16:45:09|113009|||||AAA retrieved default group policy (global_policy) for user = [email protected]
  6|Mar 20 2014|16:45:09|113004|||||AAA user authentication Successful : server =  X.X.X.X : user = [email protected]

  If you have implemented SSLVPN i18n then I think you are hitting bug.

• Problem with cp and ACL default entry for mask

  I am having a problem with the cp command, copying to a directory with default ACL entries.
  I don't think it is creating the ACL's of the resultant files correctly.
  I have two users (let's call them mark and john).
  As john I create a directory and give it ACL privledges to mark, as well as setting defaults to give john writes to anything mark creates.
  john> mkdir for-mark
  john> setfacl -rm 'user:mark:rwx,default:user::rwx,default:user:john:rwx,default:group::r-x,default:mask
  :rwx,default:other:r-x' for-mark
  john> getfacl for-mark
  # file: for-mark
  # owner: john
  # group: john
  user::rwx
  user:mark:rwx #effective:rwx
  group::r-x #effective:r-x
  mask:rwx
  other:r-x
  default:user::rwx
  default:user:john:rwx
  default:group::r-x
  default:mask:rwx
  default:other:r-x
  As mark I copy files to that directory:
  mark> cp myfile /home/john/for-mark
  mark> getfacl /home/john/for-mark/myfile
  # file: /home/john/for-mark/myfile
  # owner: mark
  # group: staff
  user::rw-
  user:john:rwx #effective:r--
  group::r-- #effective:r--
  mask:r--
  other:r--
  The mask is incorrectly set to r-- instead of rwx.
  This leaves john unable to write to myfile (although, strangely he can delete it).
  I am NOT using the -p option on cp. I would expect this behavior if I did.
  Mark can create a file with touch or vi and the mask is incorrectly set to rw-, which is a little better. Compiles are definitely created correctly with rwx.
  Is this a bug? Or am I doing something wrong.

  You are having issues in client 000 rite ?
  I dont think login/no_automatic_user_sapstar = 0 will help you , This parameter will help you to login newly created client ( other than 000/001) with sap* and passowrd PASS.
  login/failed_user_auto_unlock = 1 , will enable automatic unlock off locked user at <b>midnight</b>
  Did you use the correct Maxdb sql command ?
  Thanks
  Prince Jose

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel