Bug 8020 - --acls does not honor --numeric-ids if UIDs do not match
Summary: --acls does not honor --numeric-ids if UIDs do not match
Status: RESOLVED FIXED
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.0.8
Hardware: x86 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-17 05:41 UTC by Kevin Korb
Modified: 2011-03-21 13:19 UTC (History)
0 users

See Also:


Attachments
rsync ACL numeric-ids option patch (612 bytes, patch)
2011-03-18 09:14 UTC, Curu Wong
no flags Details
should use id_t instead of int for uid/gid value. (613 bytes, patch)
2011-03-18 09:31 UTC, Curu Wong
no flags Details
Don't send names for ACL IDs w/--numeric-ids option (723 bytes, patch)
2011-03-18 21:57 UTC, Wayne Davison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Korb 2011-03-17 05:41:36 UTC
If the same user name exists on two systems but with different numeric UIDs rsync normally does a translation.  Using --numeric-ids is supposed to disable that translation feature (which it does for file ownership).  However, it does not for ACLs.

Here is an example of an directory with an ACL transferred between 2 systems that have a qmaild user with different UIDs.

---------------------------------------------------------------

localbox# rsync --archive --acls --itemize-changes --numeric-ids remotebox:/service ./
.d.......a. service/
localbox# ssh remotebox getfacl /service
getfacl: Removing leading '/' from absolute path names
# file: service
# owner: root
# group: service
user::rwx
user:nagios:r-x
user:qmaild:r-x
user:nobody:r-x
group::r-x
mask::r-x
other::---

localbox# ssh remotebox id qmaild
uid=380(qmaild) gid=200(nofiles) groups=200(nofiles),300(service)
localbox# getfacl service
# file: service
# owner: root
# group: 300
user::rwx
user:qmaild:r-x
user:320:r-x
user:nobody:r-x
group::r-x
mask::r-x
other::---

localbox# id qmaild
uid=201(qmaild) gid=200(nofiles) groups=200(nofiles)

------------------------------------------------------------

Both systems are running Gentoo Linux and rsync 3.0.7.  I discovered this problem because I was using rsync to backup the server with the ACL to a backup system that also had the qmaild user but with a different UID.  When I later restored that backup while booted from a live CD (SystemRescueCD) it did not have a qmaild user so the numeric value from my backup server was used rather than the numeric value it was supposed to be.
Comment 1 Curu Wong 2011-03-18 09:14:54 UTC
Created attachment 6303 [details]
rsync ACL numeric-ids option patch

It seems that rsync always maps user/group name to ids.
we can see that in function recv_ida_entries(ida_entries *ent, int f) in acls.c, if data sent from remote end contains user/group name info, it will always map that user/group name to local id, never honour the --numeric-ids option and use the uid/gid from remote end directly.

This patch should fix this problem.

tested on:
fedora 14 i386
CentOS 5.5 x86_64
Comment 2 Curu Wong 2011-03-18 09:22:58 UTC
Comment on attachment 6303 [details]
rsync ACL numeric-ids option patch

diff -ru rsync-3.0.7.orig/acls.c rsync-3.0.7/acls.c
--- rsync-3.0.7.orig/acls.c	2011-03-18 16:33:10.000000000 +0800
+++ rsync-3.0.7/acls.c	2011-03-18 16:37:10.000000000 +0800
@@ -696,10 +696,14 @@
 		uint32 access = recv_acl_access(&has_name, f);
 
 		if (has_name) {
+			id_t id_orig = id;
 			if (access & NAME_IS_USER)
 				id = recv_user_name(f, id);
 			else
 				id = recv_group_name(f, id, NULL);
+			//don't map uid/gid when --numeric-ids option is set
+			if (numeric_ids)
+				id = id_orig;
 		} else if (access & NAME_IS_USER) {
 			if (inc_recurse && am_root && !numeric_ids)
 				id = match_uid(id);
Comment 3 Curu Wong 2011-03-18 09:31:44 UTC
Created attachment 6304 [details]
should use id_t instead of int for uid/gid value.
Comment 4 Kevin Korb 2011-03-18 12:49:22 UTC
The patch does solve my problem.  Thank you.
Comment 5 Wayne Davison 2011-03-18 21:57:13 UTC
Created attachment 6334 [details]
Don't send names for ACL IDs w/--numeric-ids option

Instead of ignoring the names, the sender should not be sending names.  This matches how normal owner/group sending happens with --numeric-ids.

Thanks for the suggested patch, though!
Comment 6 Wayne Davison 2011-03-18 21:58:18 UTC
Fixed in git.
Comment 7 Kevin Korb 2011-03-18 22:13:58 UTC
The second patch also solves my problem.

I want to point out to anyone else who hits this problem and needs a patch that the first patch needs only to be applied to the receiver while the second patch needs only to be applied to the sender.  If someone can't patch or upgrade one end then the other patch may be useful to them.

Thanks again.
Comment 8 Curu Wong 2011-03-21 13:19:10 UTC
(In reply to comment #5)
> Created attachment 6334 [details]
> Don't send names for ACL IDs w/--numeric-ids option
> 
> Instead of ignoring the names, the sender should not be sending names.  This
> matches how normal owner/group sending happens with --numeric-ids.
> 
> Thanks for the suggested patch, though!

This patch is more elegant :) .