With cobbler-1.3.4, I had added an acl group privilege: * *cobbler aclsetup --addgroup=mygroup* I executed the above command after ensuring the mounted ext3 filesystems involved were sane * *mount -o remount,acl,user_xattr /var* Now when I execute *cobbler reposync --only=test-64*, I receive the following output ### BEGIN OUTPUT ### [me@host ~]$ rsync -rltDv --delete --delete-excluded --exclude-from=/etc/cobbler/rsync.exclude /opt/repos/test/x86_64/ /var/www/cobbler/repo_mirror/test-64 building file list ... done ./ rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/.": Operation not permitted (1) base/ rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1) repodata/ rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/repodata": Operation not permitted (1) rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/.": Operation not permitted (1) rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1) rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/repodata": Operation not permitted (1) ### END OUTPUT ### /var/www/cobbler/repo_mirror/* has owner:group=apache:apache. I tried changing the group recursively to 'mygroup' with write permission. No luck. After scouring through numerous search results, I concluded that rsync does not modify standard mtime stats using the normal system call; it uses its own algorithm -- /*which ultimately requires changing "ownership" of the repos*/. This seems to defeat the purpose of using ACLs in conjunction w/ cobbler. In order to write files without worrying about rsync time oddities, I inserted *-O* *(--omit-dir-times)* into the "action_reposync.py" file: * 'cmd = "rsync -rltDvO %s --delete --delete-excluded --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, repo.mirror, dest_path)' The question remains, however, whether the rsync time synchronizations are needed. If so, this patch will not work, and there will have to be some workaround - e.g. setuid bit? --- I would *love* to hear that this is a non-issue and someone sees right through this logic. --- But... we're not done yet. There's another 'acl gotcha' in action_reposync.pl: *chown -R root:apache*. I don't see how this can be done without setuid/setguid root or some additional acl magic. ### BEGIN OUTPUT ### ... ... ... chmod: changing permissions of `/var/www/cobbler/repo_mirror/test-64/base/test-1.1-1.x86_64.rpm': Operation not permitted chmod: changing permissions of `/var/www/cobbler/repo_mirror/test-64/base/a-1-2.noarch.rpm': Operation not permitted ... ... ... ### END OUTPUT ### Any thoughts? Thanks, - A.