File permissions are being changed after gunzip of .gz file; how do I prevent that?

Question

I have an NFS4 filesystem that has AD based authentication setup and ACLS to match. I am controlling access to the machines that mount the filesystem so the ACLs are very basic. One prevents users from renaming or deleting folders at the parent level. A second ACL gives "Everyone" and "Domain Users" full access for "Subfolders, and Files"

the problem I have is on one of the subfolders there is a *.pax.gz" file. If I log in to a Linux client and cd to that folder I am able to see the file and the correct permissions. If I run gunzip "filename" it then creates a *.pax file but the "Everyone" and "Domain Users" permissions are gone and I become the owner of that file.

Is it possible to set an ACL or anything at all that would have the end result be the *.pax file retaining the same permissions that the *.pax.gz file has?

score 0 · Answer 1 · answered Mar 24 '16 at 17:00

You need to add ACEs into parent directory with 'f' and 'd' flags to enforce newly created files and directories to inherit that ACEs.

from nfs4_acl man page:

   INHERITANCE FLAGS - can be used in any directory ACE

   d      directory-inherit - newly-created subdirectories will inherit the ACE.

   f      file-inherit  -  newly-created files will inherit the ACE, minus its inheritance flags.  Newly-created subdirectories
          will inherit the ACE; if directory-inherit is not also specified in the parent ACE, inherit-only will be added to the
          inherited ACE. 
   n      no-propagate-inherit - newly-created subdirectories will inherit the ACE, minus its inheritance flags.

   i      inherit-only  -  the ACE is not considered in permissions checks, but it is heritable; however, the inherit-only flag
         is stripped from inherited ACEs.

shodanshok · Answer 2 · 2016-03-24T06:51:24.057

-1

To properly store & restore metadata info as ACLs and the likes, you should use tar -pzcf and tar -pzxf rather than plain gz or gunzip

edited Mar 24 '16 at 06:51

answered Mar 23 '16 at 21:46

shodanshok

47,711
7
111
180

running `tar -zxf *.gz` returned the following error - tar: Malformed extended header: missing newline tar: Exiting with failure status due to previous errors – mrbarker Mar 23 '16 at 21:57
You misunderstand how to use `tar`. Please read its manpage or do a simple Google search. – shodanshok Mar 23 '16 at 23:12
Good point. By default `-p` is included if running `tar` as root, but specifying it is not harm anyway. – shodanshok Mar 24 '16 at 06:50
I have not added any of the users on this machine to sudo. the *.pax.gz file is being copied onto the filesystem from somewhere else. I can not control how that file gets made, only the permissions of it when it is copied onto the filesystem. I just cant figure out how to set up the ACL so the resulting .pax file retains the same permissions as the initial .pax.gz file – mrbarker Mar 24 '16 at 14:32
Ok, so you are not creating the `gz` in the first place. So you either need to mangle with ACLs (as per kofemann reply) or to write a simple script which will get the correct user/group from the `gz` file, uncompress it, and restore the original owner/group. – shodanshok Mar 24 '16 at 17:54

Aaron Tate · Answer 3 · 2016-03-24T00:20:27.167

-1

This should solve the issue:

sudo -u <current file owner> -g "Domain Users" gunzip *.pax.gz

The reason you need to do it this way is when you gunzip something the program loads the gz into memory decompresses it, writes the decompressed version to disk as a new file¹ and unlinks (deletes) the old version.

[1]:When you create a new file what ever user context you're under is the owner and their primary group is the group of said file, -g causes sudo to change the primary group for that session.

Allowing non-root users to do this:

Create a system group of the users you want to be able to use gunzip in this example we'll call it 'gunzip'.

visudo

Add line:

%gunzip ALL=(ALL) NOPASSWD:NOEXEC: gunzip

Save and quit

edited Mar 24 '16 at 00:20

answered Mar 23 '16 at 22:57

Aaron Tate

1,222
7
9

thanks, but the users on the machine are only granted standard access. None of them have been added to visudo. In my very limited linux understanding, will that cause an issue with this? – mrbarker Mar 23 '16 at 23:12
I've added info on how to allow non-root/admin users to do this without having to use a root password. NOEXEC prevents someone from using gunzip to launch a root shell. – Aaron Tate Mar 24 '16 at 00:21

File permissions are being changed after gunzip of .gz file; how do I prevent that?

3 Answers3