Why is rsync getting “permission denied” errors on Mac OS X when ACLs are set for the correct user

access-control-listosx-snow-leopardrsync

I'm transitioning away from an old tool that initiates an rsync (copying from a local path to a remote path w/SSH hostkeys) via a web form (completely behind a firewall w/multiple authentication layers, not that that's an excuse) hosted on Mac OS X 10.6 Snow Leopard Server. To work around the fact that rsync is run by _www, but the files are owned by someuser (plus the SSH hostkeys are for someuser), the original author made a copy of the rsync binary w/permissions of 4755 & someuser as the owner (so, anyone who runs that copy of rsync has it run as the someuser user). A dirty hack, for sure, but it works (and it was written before Mac OS X even had support for ACLs, so it's at least slightly understandable, though it's still atrocious from a security standpoint).

As my first step in moving away from this solution, I've changed the permissions of those files from 777 (owned by someuser) to 755 (still owned by someuser), then set ACLs for _www to have full access to those files, as follows:

chmod -R +a "_www allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit" /path/to/directory

Unfortunately, while still using the same rsync binary with the set-user-ID-on-execution bit set for someuser, rsync now throws the following error:

building file list ... rsync: link_stat "/path/to/directory/subdir/." failed: Permission denied (13)
done

sent 332 bytes  received 20 bytes  704.00 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files could not be transferred (code 23) at /SourceCache/rsync/rsync-30/rsync/main.c(717)

If I check the permissions for that directory, they seem correct:

$ ls -ael /path/to/directory/
total 0
drwxr-x---+  3 someuser  admin  102 Jun 23 19:00 .
 0: user:_www allow list,add_file,delete,add_subdirectory,file_inherit,directory_inherit
drwxr-xr-x   8 someuser  admin  272 Jun 23 18:57 ..
drwxr-xr-x+ 17 someuser  admin  578 Jun 23 17:15 subdir
 0: user:_www allow list,add_file,delete,add_subdirectory,file_inherit,directory_inherit

The same is true of a file in the directory:

$ ls -ael /path/to/directory/subdir/file.txt 
-rwxr-xr-x+ 1 someuser  admin  107 Jun 23 17:15 subdir/file.txt
 0: user:_www allow read,write,delete,append

What would cause this permissions error since the files are still owned by the user which the rsync binary runs, plus the _www user should have full ACLs for the directory & files?

Update: It seems like it's an ACL issue as running sudo -u _www ls -ael /path/to/directory/ results in "permission denied" errors as well:

ls: .: Permission denied
ls: ..: Permission denied
ls: subdir: Permission denied`

So, what's wrong with the ACLs I've set?

Best Answer

In Server Admin.app, I enabled the "Show system accounts in the users & groups browser" preference, then went to File Sharing and browsed to /path/to/directory/ (w/"Volumes" & "Browse" selected in the toolbar) I added a "Custom" ACL (no "Administration", but all "Read", "Write", and "Applies to") for the '_www' user and propagated the permissions.

This resulted in the following when running ls as the '_www' user:

$ sudo -u _www ls -ale /path/to/directory
total 0
drwxr-x---+  3 someuser  admin  102 Jun 23 19:00 .
 0: user:_www allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit
drwxr-xr-x   8 someuser  admin  272 Jun 23 18:57 ..
drwxr-xr-x+ 17 someuser  admin  578 Jun 23 17:15 subdir
 0: user:_www inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit

So, that resolved the issue. By looking at the ACLs that were set, it looks like it was probably the missing 'search' access which was causing the failures (maybe some of the others, although those appear to only be related to extended attributes).

Related Solutions

Linux – rsync to remote server that does not have the same users setup as local server produces permission error

You may want to try --fake-super. From the rsync man page:

--fake-super

When this option is enabled, rsync simulates super-user activities by saving/restoring the privileged attributes via special extended attributes that are attached to each file (as needed). This includes the file's owner and group (if it is not the default), the file's device info (device & special files are created as empty text files), and any permission bits that we won't allow to be set on the real file (e.g. the real file gets u-s,g-s,o-t for safety) or that would limit the owner's access (since the real super-user can always access/change a file, the files we create can always be accessed/changed by the creating user).

In your case, since you want to use --fake-super on the remote side, you will need to invoke it via --rsync-path, e.g.:

rsync -avz --rsync-path='rsync --fake-super' /source/ backupuser@remote:/dest/

When restoring from your backups, you will also need to ensure that --fake-super is always in force on the system where the backups are stored.

Can’t delete Active Directory object

Your problem is the explicitly defined Deny delete permission in the "root" (properly called "grandparent") OU, and removing it should solve your problems. It's kind of hard to follow the exact OU structures and which permissions are explicit and which are inherited from your description (a picture is worth a thousands words), but it sounds like, to me:

There is an explicit Deny delete in the root/grandparent OU. It is only functioning on objects in the root, and one level down.

This would be because either:

The Deny delete is only applying to the first level of descendant objects (so it's inherited by the parent OU, but not the child OU), or
The second level of descendant objects (in the child OU) have an Allow delete permission that is of higher precedence.

To resolve the issue and allow your group to delete the objects you want to delete, remove the Deny delete permission at the root OU, or set it to apply to the OU object only (not to its descendant objects).

Here's a handy link to information about permissions precedence in NTFS (which applies to AD permissions as well):

Here are some rules for resolving permissions conflicts:

"Deny" permissions generally take precedence over "allow" permissions.
Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group).
Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.
Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course.

Although Deny permissions generally take precedence over allow permissions, this is not always the case. An explicit "allow" permission can take precedence over an inherited "deny" permission.

The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:

Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow

Also true:

File permissions override folder permissions, unless the Full Control permission has been granted to the folder.

Best Answer

Related Solutions

Linux – rsync to remote server that does not have the same users setup as local server produces permission error

Can’t delete Active Directory object

Related Topic