Installation guide
to read-only mounts and ACLs, there may be additional controls that can
alter the permitted access such as:
• ID mapping
• Mandatory access control
• Additional authentication requirements
Programs that copy files to update them, rather than updating them in place,
often do not preserve ACLs. Some programs that have this problem are
gzip, compress, and emacs.
The best solution for programs that need to make access decisions is for the
program to use the access() call to determine what access will be granted.
Note that even this may not work as the access protections of the file could
be changed between the access() call and the read, write,or
execute operation.
For programs that copy files, the following command will copy a file while
preserving ACLs and any other extended attribute (property list):
# cp -p
See the acl(4) and proplist(4) reference pages for more information.
4.1.2.2 ACLs and Archive Tools
The pax, tar, and cpio archive tools might not restore ACLs on files in
the manner you think that they should be restored. Always check the ACLs
on your files after saving and restoring them with any of these tools.
4.1.3 Emacs Can Lose ACL File Settings
By default, the Emacs editor will rename the original file and save the new
file as a copy under the original name. If the original file had an Access
Control List (ACL) it will now apply to the backup file. If the directory had
a default ACL, the new file (original file name) will now have the default
ACL instead of the original ACL. If the directory did not have a default
ACL, the new file will be protected only by the file permission bits.
The Emacs editor has some user-preference variables that you can set to
control which file will retain the original ACL. The relevant Emacs variables
are:
• backup-by-copying
• backup-by-copying-when-mismatch
• backup-by-copying-when-linked
4–2 Base System Software Notes