If the same user name exists on two systems but with different numeric UIDs rsync normally does a translation. Using --numeric-ids is supposed to disable that translation feature (which it does for file ownership). However, it does not for ACLs. Here is an example of an directory with an ACL transferred between 2 systems that have a qmaild user with different UIDs. --------------------------------------------------------------- localbox# rsync --archive --acls --itemize-changes --numeric-ids remotebox:/service ./ .d.......a. service/ localbox# ssh remotebox getfacl /service getfacl: Removing leading '/' from absolute path names # file: service # owner: root # group: service user::rwx user:nagios:r-x user:qmaild:r-x user:nobody:r-x group::r-x mask::r-x other::--- localbox# ssh remotebox id qmaild uid=380(qmaild) gid=200(nofiles) groups=200(nofiles),300(service) localbox# getfacl service # file: service # owner: root # group: 300 user::rwx user:qmaild:r-x user:320:r-x user:nobody:r-x group::r-x mask::r-x other::--- localbox# id qmaild uid=201(qmaild) gid=200(nofiles) groups=200(nofiles) ------------------------------------------------------------ Both systems are running Gentoo Linux and rsync 3.0.7. I discovered this problem because I was using rsync to backup the server with the ACL to a backup system that also had the qmaild user but with a different UID. When I later restored that backup while booted from a live CD (SystemRescueCD) it did not have a qmaild user so the numeric value from my backup server was used rather than the numeric value it was supposed to be.
Created attachment 6303 [details] rsync ACL numeric-ids option patch It seems that rsync always maps user/group name to ids. we can see that in function recv_ida_entries(ida_entries *ent, int f) in acls.c, if data sent from remote end contains user/group name info, it will always map that user/group name to local id, never honour the --numeric-ids option and use the uid/gid from remote end directly. This patch should fix this problem. tested on: fedora 14 i386 CentOS 5.5 x86_64
Comment on attachment 6303 [details] rsync ACL numeric-ids option patch diff -ru rsync-3.0.7.orig/acls.c rsync-3.0.7/acls.c --- rsync-3.0.7.orig/acls.c 2011-03-18 16:33:10.000000000 +0800 +++ rsync-3.0.7/acls.c 2011-03-18 16:37:10.000000000 +0800 @@ -696,10 +696,14 @@ uint32 access = recv_acl_access(&has_name, f); if (has_name) { + id_t id_orig = id; if (access & NAME_IS_USER) id = recv_user_name(f, id); else id = recv_group_name(f, id, NULL); + //don't map uid/gid when --numeric-ids option is set + if (numeric_ids) + id = id_orig; } else if (access & NAME_IS_USER) { if (inc_recurse && am_root && !numeric_ids) id = match_uid(id);
Created attachment 6304 [details] should use id_t instead of int for uid/gid value.
The patch does solve my problem. Thank you.
Created attachment 6334 [details] Don't send names for ACL IDs w/--numeric-ids option Instead of ignoring the names, the sender should not be sending names. This matches how normal owner/group sending happens with --numeric-ids. Thanks for the suggested patch, though!
Fixed in git.
The second patch also solves my problem. I want to point out to anyone else who hits this problem and needs a patch that the first patch needs only to be applied to the receiver while the second patch needs only to be applied to the sender. If someone can't patch or upgrade one end then the other patch may be useful to them. Thanks again.
(In reply to comment #5) > Created attachment 6334 [details] > Don't send names for ACL IDs w/--numeric-ids option > > Instead of ignoring the names, the sender should not be sending names. This > matches how normal owner/group sending happens with --numeric-ids. > > Thanks for the suggested patch, though! This patch is more elegant :) .