diff options
author | Mike Yuan <me@yhndnzj.com> | 2022-12-17 00:44:06 +0800 |
---|---|---|
committer | Mike Yuan <me@yhndnzj.com> | 2023-04-27 15:15:09 +0800 |
commit | 26d98cdd78cb5283f5771bd5866997acc494b067 (patch) | |
tree | 6b59215bfcd3ae90e8c54915916eff3c08b80b8d /man | |
parent | 49c778e6bf70ebf230989ab84e9ce7f1b26beef2 (diff) | |
download | systemd-26d98cdd78cb5283f5771bd5866997acc494b067.tar.gz |
tmpfiles: add conditionalized execute bit (X) support
According to setfacl(1), "the character X stands for
the execute permission if the file is a directory
or already has execute permission for some user."
After this commit, parse_acl() would return 3 acl
objects. The newly-added acl_exec object contains
entries that are subject to conditionalized execute
bit mangling. In tmpfiles, we would iterate the acl_exec
object, check the permission of the target files,
and remove the execute bit if necessary.
Here's an example entry:
A /tmp/test - - - - u:test:rwX
Closes #25114
Diffstat (limited to 'man')
-rw-r--r-- | man/tmpfiles.d.xml | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index a23b9c8946..54f3c501cb 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -446,13 +446,15 @@ L /tmp/foobar - - - - /dev/null</programlisting> <term><varname>a+</varname></term> <listitem><para>Set POSIX ACLs (access control lists), see <citerefentry project='man-pages'><refentrytitle>acl</refentrytitle> - <manvolnum>5</manvolnum></citerefentry>. If suffixed with <varname>+</varname>, the specified - entries will be added to the existing set. <command>systemd-tmpfiles</command> will automatically - add the required base entries for user and group based on the access mode of the file, unless base - entries already exist or are explicitly specified. The mask will be added if not specified - explicitly or already present. Lines of this type accept shell-style globs in place of normal path - names. This can be useful for allowing additional access to certain files. Does not follow - symlinks.</para></listitem> + <manvolnum>5</manvolnum></citerefentry>. Additionally, if 'X' is used, the execute bit is set only + if the file is a directory or already has execute permission for some user, as mentioned in + <citerefentry project='man-pages'><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. + If suffixed with <varname>+</varname>, the specified entries will be added to the existing set. + <command>systemd-tmpfiles</command> will automatically add the required base entries for user + and group based on the access mode of the file, unless base entries already exist or are explicitly + specified. The mask will be added if not specified explicitly or already present. Lines of this type + accept shell-style globs in place of normal path names. This can be useful for allowing additional + access to certain files. Does not follow symlinks.</para></listitem> </varlistentry> <varlistentry> |