From owner-freebsd-fs@FreeBSD.ORG Tue Oct 29 15:28:31 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9B8EEF77 for ; Tue, 29 Oct 2013 15:28:31 +0000 (UTC) (envelope-from proks@skylinetele.com) Received: from mail.sky.od.ua (relay.sky.od.ua [81.25.224.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 255752E99 for ; Tue, 29 Oct 2013 15:28:30 +0000 (UTC) Received: from relay.sky.od.ua (mail [81.25.224.8]) by mail.sky.od.ua (Postfix) with ESMTP id 6CC221069A6; Tue, 29 Oct 2013 17:20:58 +0200 (EET) X-Virus-Scanned: amavisd-new at sky.od.ua Received: from mail.sky.od.ua ([81.25.224.8]) by relay.sky.od.ua (relay.sky.od.ua [81.25.224.8]) (amavisd-new, port 10024) with ESMTP id PAVIzy9rxfzJ; Tue, 29 Oct 2013 17:20:55 +0200 (EET) Received: from logos.sky.od.ua (logos.sky.od.ua [81.25.224.11]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sky.od.ua (Postfix) with ESMTPS id 9646C1069A0; Tue, 29 Oct 2013 17:20:55 +0200 (EET) Message-ID: <526FD257.6010201@skylinetele.com> Date: Tue, 29 Oct 2013 17:20:55 +0200 From: "Prokofiev S.P." Organization: Skyline Telecom. User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1 MIME-Version: 1.0 To: Rick Macklem Subject: Re: Mapping POSIX ACLs to NFSv4 ACLs for Samba storage References: <317463358.40289383.1381537328684.JavaMail.root@uoguelph.ca> In-Reply-To: <317463358.40289383.1381537328684.JavaMail.root@uoguelph.ca> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2013 15:28:31 -0000 Thank you for your answer. Sorry for my delay, I was very busy. In my opinion, if we don't take account of windows requirements of rule ordering, then draft proposes more or less correct solution. As for me there are two solutions of this problem. The first, create ufs on zvol and move data there. The second as you said as is a simple translation for my application, i. e. samba. In my example the solution could be look like this (it's formal and for compatibility with Windows applications ) : owner@:--------------:fd----:deny user:10015:-w-p---A---C--:fd----:deny user:10049:-w-p---A---C--:fd----:deny user:10072:-------A---C--:fd----:deny owner@:rwxpD-aA--cC-s:fd----:allow user:10015:r-x---a---c--s:fd----:allow user:10049:r-x---a---c--s:fd----:allow user:10072:rwxpD-a---c--s:fd----:allow group@:------a---c--s:fd----:allow group:10008:rwxpD-a---c--s:fd----:allow group:544:rwxpD-a---c--s:fd----:allow group:10131:r-x---a---c--s:fd----:allow everyone@:--------------:fd----:allow The last rule is deny rule for other groups. In common case the solution is more complicated of course. We should take count into that the groups could have the same users and moreover users of user's list could be members of these groups. Therefore we couldn't place all of deny rules in front of allow rules as that require Windows applications. On 12.10.2013 03:22, Rick Macklem wrote: > Prokofiev S.P. wrote: >> Hi all, >> >> I propose to talk about an issue. I have a task of moving data from >> UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But >> only >> owner/owner_group is saved. I've written a Perl script to translate >> POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it >> (http://tools.ietf.org/html/draft-iet...acl-mapping-05 >> ) to >> emulate >> POSIX behaviour of permissions. I got something like that, for >> instance: >> > It probably isn't of much help to you, but eventually the NFSv4 > working group realized that mapping between POSIX<->NFSv4 ACLs > wasn't possible. Those drafts were just failed attempts. > > Also, if you are going to put all deny ACEs before all allow > ACEs, then the deny ACEs must not specify anything that is > allowed by the allow ACEs. (I suspect you already know, but > the NFSv4 ACL is evaluated by testing each ACE in order and > any match for a deny ACE denies access and any matching allow ACE > allows access. As such, re-ordering ACEs in the ACL changes > the ACL's semantics.) > > Good luck with this. I do not believe there is a correct solution > in general, so all you can hope for is a simple translation > that captures enough semantics for your application. > > rick > >> Source directory on UFS: >> Code: >> >>> getfacl /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> user::rwx >> user:10015:r-x >> user:10049:r-x >> user:10072:rwx >> group::--- >> group:544:rwx >> group:10008:rwx >> group:10131:r-x >> mask::rwx >> other::--- >> >>> getfacl -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> user::rwx >> user:10015:r-x >> user:10049:r-x >> user:10072:rwx >> group::--- >> group:544:rwx >> group:10008:rwx >> group:10131:r-x >> mask::rwx >> other::--- >> >> Target directory on ZFS: >> Code: >> >> # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> owner@:--------------:fd----:deny >> owner@:rwxpD-aA--cC-s:fd----:allow >> user:10015:-w-p---A---C--:fd----:deny >> user:10015:r-x---a---c--s:fd----:allow >> user:10049:-w-p---A---C--:fd----:deny >> user:10049:r-x---a---c--s:fd----:allow >> user:10072:-------A---C--:fd----:deny >> user:10072:rwxpD-a---c--s:fd----:allow >> group@:------a---c--s:fd----:allow >> group:10008:rwxpD-a---c--s:fd----:allow >> group:544:rwxpD-a---c--s:fd----:allow >> group:10131:r-x---a---c--s:fd----:allow >> group@:rwxp---A---C--:fd----:deny >> group:10008:-------A---C--:fd----:deny >> group:544:-------A---C--:fd----:deny >> group:10131:-w-p---A---C--:fd----:deny >> everyone@:rwxp---A---C--:fd----:deny >> everyone@:------a---c--s:fd----:allow >> >> I was happy, but Windows made me sad. When I tried to look at >> permissions of a file or a directory with a Windows file browser I >> had >> warning about ordering of permissions. Then I tried to edit >> permissions >> and allowed reordering and got this result of that: >> >> Code: >> >> getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ >> # owner: 10051 >> # group: 513 >> user:10015:-w-pD--A---C--:fd----:deny >> user:10049:-w-pD--A---C--:fd----:deny >> user:10072:-------A---C--:fd----:deny >> group@:rwxpD--A---C--:fd----:deny >> group:10008:-------A---C--:fd----:deny >> group:544:-------A---C--:fd----:deny >> group:10131:-w-pD--A---C--:fd----:deny >> everyone@:rwxpD--A---C--:fd----:deny <<<<<<<<< >> owner@:rwxpD-aA--cC--:fd----:allow >> user:10015:r-x---a---c---:fd----:allow >> user:10049:r-x---a---c---:fd----:allow >> user:10072:rwxpD-a---c---:fd----:allow >> group@:------a---c---:fd----:allow >> group:10008:rwxpD-a---c---:fd----:allow >> group:544:rwxpD-a---c---:fd----:allow >> group:10131:r-x---a---c---:fd----:allow >> everyone@:------a---c---:fd----:allow >> >> But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). >> It's a mess. As it turned out according to >> http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx >> >> it's a rule of ordering of Windows permissions. >> >> _______________________________________________ >> freebsd-fs@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs >> To unsubscribe, send any mail to"freebsd-fs-unsubscribe@freebsd.org" >> -- Prokofiev Sergiiproks@skylinetele.com System and Network Administrator, PROK-RIPE ISP Skyline Telecom Odessa, Ukraine