rsync is supposed to preserve ACLs with the -A option. However, rsync 3.0.6 does not preserve ACLs, as it drops the "mask" portion of the ACL. wayne said on the mailing list: Rsync was of the belief that a mask was only needed if an ACL had named values, otherwise it tried to simplify the ACL to mask off the group mode and dropped the mask. I've checked in a change that makes it keep whatever mask value is specified, so the ACLs should be identical now. This will get released in 3.0.6. ..wayne.. However, this has not been done. Example (performed as root): # rsync --version rsync version 3.0.6 protocol version 30 Copyright (C) 1996-2009 by Andrew Tridgell, Wayne Davison, and others. Web site: http://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 32-bit timestamps, 64-bit long ints, socketpairs, hardlinks, symlinks, no IPv6, batchfiles, inplace, append, ACLs, no xattrs, iconv, no symtimes rsync comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public Licence for details. # getfacl example.txt # file: example.txt # owner: root # group: other user::--- user:jdb:r-- #effective:r-- group::--- #effective:--- mask:r-- <======== NOTE MASK other:--- # rsync -aA example.txt jdb@remote:/var/tmp # ssh -q jdb@remote 'ls -l /var/tmp/example.txt; getfacl /var/tmp/example.txt' ----------+ 1 root other 355 Sep 5 14:07 /var/tmp/example.txt # file: /var/tmp/example.txt # owner: root # group: other user::--- user:jdb:r-- #effective:--- group::--- #effective:--- mask:--- <======== NOTE MASK other:--- [ rsync is 3.0.6 on both ends ]
Further testing shows that not only is the mask not preserved on transfer, but if it already exists, it is eliminated!
Just to be 100% sure, run this and verify that it says 3.0.6: ssh -l jdb remote rsync --version I assume that will be OK a the real problem appears to be that that your file has a mask of "r" but the ls display shows (and presumably mode value in stat() returns) no corresponding group=r mode. That should not be possible with posix ACLs. So, something is very weird in Solaris ACLs.
The unusual behavior of Solaris ACLs was previously discussed in this thread: http://lists.samba.org/archive/rsync/2006-October/016404.html
I used the --fake-super option to try a copy that is otherwise impossible on linux (since I don't have access to solaris) -- an ACL that has a mask that doesn't match the group number. Rsync duplicated the values correctly (from xattr value to xattr value). So, this makes me wonder if setting the mode changes the mask on Solaris. For example, if you do this: setfacl -m m:r foo chmod 0 foo getfacl foo Does the mask get reset?
Yes, according to the message linked in comment #3.
3.0.8 has some more ACL mask improvements that should hopefully fix this. If it is still broken, feel free to reopen this bug.