|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
Finder's Nasty Inherited ACL Bug (aka Error -41)
You wonder who's working at Apple.
CHICAGO (Rixstep) — Joel Bruner's done another dig into the tangled webs of Apple software and come up with a doozy. This isn't low level: it's in Finder (and miraculously in Path Finder as well but not Rixstep's Xfile). But ironically that's all the more reason to worry.
For the 'bug' which appeared first in 10.6.3 is only getting worse for each point update.
Scott's orphans: what's happening to them? Do they know what they're doing? Do they test what they're doing? How can they possibly not catch a bug that's this critical and actually make it worse again and again? As another Apple network guru put it: 'you wonder who's working at Apple'.
Things start to go south when Finder/Path Finder try to deal with ACLs. Bruner heard the talk about the bug a while back but only recently had the time to study and monitor the descent through each and every iteration of Snow Leopard. He took a test box and upgraded to 10.6.7 through each point update, making QuickTime movies and documenting what he found.
He published his results at Open Radar after filing the bug with Apple.
The bug is that ACLs are redundantly duplicated in Finder/Path Finder copy operations. The good news (again) is that the system APIs and low level code utilities ('cp -p') aren't responsible. The bad news is there's no reason for those apps to use their own code for something built into the system. And yet they do.
Joel has a 'hands on demo' online. You start by making a deeply nested folder.
$ mkdir -p ~/ACLShackles/1/2/3/4/5/6/7/8/9/10/11
Then you add some ACL gunk to the top level ACLShackles.
$ chmod +a "$(whoami) allow list, add_file, search, add_subdirectory, delete_child, readattr, writeattr, readextattr, writeextattr, readsecurity, file_inherit, directory_inherit" ~/ACLShackles/
Quite a lot of gunk. Check your work with 'ls -led ~/ACLShackles' and then it's time to take on the bug: get Finder (Path Finder) up and running, select the '1' subdirectory, and duplicate (⌘D). You'll get a '1 copy' hive beside the original. Now try to duplicate '1 copy' and you'll bomb out with a '-41'. And a single ACL looks like this.
Joel continues with an 'illustrated' demo using Chess.app and the results aren't prettier. Only more colourful.
What's supposed to happen on a 'proper' copy operation is each directory retains a single ACE. The ACE count in Joel's 'Chess' test reached 110 before the system bottomed out.
Path Finder doesn't hurl a '-41' - it just hangs. Only Rixstep's Xfile does it right. Joel comments: 'Rixstep software is quite conscientious about doing the Right Thing™'.
Why Is This Bug Important?
Joel Brunerd classified the bug as 'serious'. Why is it? And why is it important? Joel's own words.
For OS X Server environments, this affects crucial workflow behaviour where multiple people act upon the same files and folders. ACLs quickly stack up and render Finder unusable. Currently the last known proper behaviour for Finder was 10.6.2.
Then 10.6.3 and 10.6.4 added the quirk of adding an ACL entry that mimicked the Unix permissions of the user doing the copy operation, but at least the ACEs weren't duplicated ad nauseum.
But taking the insanity to new heights was 10.6.5, 10.6.6, and now 10.6.7 with the duplication bug that makes working with inherited permissions unbearable.
The issue is mitigated on OS X Client as Apple's 'FF' doesn't enable inheritance; on the other hand users miss out on inherited ACLs the day they start working right.
And that doesn't leave a lot of time. Scott's orphans are blissfully (inexcusably) unaware of what they're doing and Apple's Snow Leopard 10.6 might end up on the shelf as a woefully unusable server system.
Rixstep Learning Curve: .DS_Store Redux
The Technological: Desktop Services Store
Open Radar: Finder: Inherited ACL Duplication
Brunerd: Finder's Nasty Inherited ACL Bug (aka Error -41)
Rixstep's Red Hat Diaries: Back Burner (A Pretty Cool Place to Be)
Rixstep Developers Workshop: It Wasn't Good Then, It's No Better Now
WebSE: System 7 Simulation
TechCrunch: A Sleeping OS X Lion Stirs
Computerworld: Collected: Apple threat level hits new high
Computerworld: Apple's software chief quits as iOS eats Lion
Computerworld: What MacBook Pro future features might mean for OS X