Date: Tue, 29 Oct 2013 17:20:55 +0200 From: "Prokofiev S.P." <proks@skylinetele.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: Mapping POSIX ACLs to NFSv4 ACLs for Samba storage Message-ID: <526FD257.6010201@skylinetele.com> In-Reply-To: <317463358.40289383.1381537328684.JavaMail.root@uoguelph.ca> References: <317463358.40289383.1381537328684.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for your answer. Sorry for my delay, I was very busy. In my opinion, if we don't take account of windows requirements of rule ordering, then draft proposes more or less correct solution. As for me there are two solutions of this problem. The first, create ufs on zvol and move data there. The second as you said as is a simple translation for my application, i. e. samba. In my example the solution could be look like this (it's formal and for compatibility with Windows applications ) : owner@:--------------:fd----:deny user:10015:-w-p---A---C--:fd----:deny user:10049:-w-p---A---C--:fd----:deny user:10072:-------A---C--:fd----:deny owner@:rwxpD-aA--cC-s:fd----:allow user:10015:r-x---a---c--s:fd----:allow user:10049:r-x---a---c--s:fd----:allow user:10072:rwxpD-a---c--s:fd----:allow group@:------a---c--s:fd----:allow group:10008:rwxpD-a---c--s:fd----:allow group:544:rwxpD-a---c--s:fd----:allow group:10131:r-x---a---c--s:fd----:allow everyone@:--------------:fd----:allow The last rule is deny rule for other groups. In common case the solution is more complicated of course. We should take count into that the groups could have the same users and moreover users of user's list could be members of these groups. Therefore we couldn't place all of deny rules in front of allow rules as that require Windows applications. On 12.10.2013 03:22, Rick Macklem wrote: > Prokofiev S.P. wrote: >> Hi all, >> >> I propose to talk about an issue. I have a task of moving data from >> UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But >> only >> owner/owner_group is saved. I've written a Perl script to translate >> POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it >> (http://tools.ietf.org/html/draft-iet...acl-mapping-05 >> <http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05>) to >> emulate >> POSIX behaviour of permissions. I got something like that, for >> instance: >> > It probably isn't of much help to you, but eventually the NFSv4 > working group realized that mapping between POSIX<->NFSv4 ACLs > wasn't possible. Those drafts were just failed attempts. > > Also, if you are going to put all deny ACEs before all allow > ACEs, then the deny ACEs must not specify anything that is > allowed by the allow ACEs. (I suspect you already know, but > the NFSv4 ACL is evaluated by testing each ACE in order and > any match for a deny ACE denies access and any matching allow ACE > allows access. As such, re-ordering ACEs in the ACL changes > the ACL's semantics.) > > Good luck with this. I do not believe there is a correct solution > in general, so all you can hope for is a simple translation > that captures enough semantics for your application. > > rick > >> Source directory on UFS: >> Code: >> >>> getfacl /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> user::rwx >> user:10015:r-x >> user:10049:r-x >> user:10072:rwx >> group::--- >> group:544:rwx >> group:10008:rwx >> group:10131:r-x >> mask::rwx >> other::--- >> >>> getfacl -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> user::rwx >> user:10015:r-x >> user:10049:r-x >> user:10072:rwx >> group::--- >> group:544:rwx >> group:10008:rwx >> group:10131:r-x >> mask::rwx >> other::--- >> >> Target directory on ZFS: >> Code: >> >> # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> owner@:--------------:fd----:deny >> owner@:rwxpD-aA--cC-s:fd----:allow >> user:10015:-w-p---A---C--:fd----:deny >> user:10015:r-x---a---c--s:fd----:allow >> user:10049:-w-p---A---C--:fd----:deny >> user:10049:r-x---a---c--s:fd----:allow >> user:10072:-------A---C--:fd----:deny >> user:10072:rwxpD-a---c--s:fd----:allow >> group@:------a---c--s:fd----:allow >> group:10008:rwxpD-a---c--s:fd----:allow >> group:544:rwxpD-a---c--s:fd----:allow >> group:10131:r-x---a---c--s:fd----:allow >> group@:rwxp---A---C--:fd----:deny >> group:10008:-------A---C--:fd----:deny >> group:544:-------A---C--:fd----:deny >> group:10131:-w-p---A---C--:fd----:deny >> everyone@:rwxp---A---C--:fd----:deny >> everyone@:------a---c--s:fd----:allow >> >> I was happy, but Windows made me sad. When I tried to look at >> permissions of a file or a directory with a Windows file browser I >> had >> warning about ordering of permissions. Then I tried to edit >> permissions >> and allowed reordering and got this result of that: >> >> Code: >> >> getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> user:10015:-w-pD--A---C--:fd----:deny >> user:10049:-w-pD--A---C--:fd----:deny >> user:10072:-------A---C--:fd----:deny >> group@:rwxpD--A---C--:fd----:deny >> group:10008:-------A---C--:fd----:deny >> group:544:-------A---C--:fd----:deny >> group:10131:-w-pD--A---C--:fd----:deny >> everyone@:rwxpD--A---C--:fd----:deny <<<<<<<<< >> owner@:rwxpD-aA--cC--:fd----:allow >> user:10015:r-x---a---c---:fd----:allow >> user:10049:r-x---a---c---:fd----:allow >> user:10072:rwxpD-a---c---:fd----:allow >> group@:------a---c---:fd----:allow >> group:10008:rwxpD-a---c---:fd----:allow >> group:544:rwxpD-a---c---:fd----:allow >> group:10131:r-x---a---c---:fd----:allow >> everyone@:------a---c---:fd----:allow >> >> But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). >> It's a mess. As it turned out according to >> http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx >> <http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298%28v=vs.85%29.aspx> >> it's a rule of ordering of Windows permissions. >> >> _______________________________________________ >> freebsd-fs@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs >> To unsubscribe, send any mail to"freebsd-fs-unsubscribe@freebsd.org" >> -- Prokofiev Sergiiproks@skylinetele.com System and Network Administrator, PROK-RIPE ISP Skyline Telecom Odessa, Ukraine
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?526FD257.6010201>