Date: Sat, 13 Mar 2010 14:10:27 +0200 From: Andriy Gapon <avg@icyb.net.ua> To: freebsd-fs@FreeBSD.org Subject: Re: ZFS ACL usage question [solved] Message-ID: <4B9B80B3.5050002@icyb.net.ua> In-Reply-To: <4B966925.1040609@icyb.net.ua> References: <4B966925.1040609@icyb.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
I've got a resolution for the below issue thanks to the great help from Edward Tomasz Napierala (trasz@). on 09/03/2010 17:28 Andriy Gapon said the following: > I have a usage question on ZFS ACL. > Perhaps it's something trivial that should have been asked on questions@, > apologies in that case. > > Let's say for simplicity that I want some directory to be equally shared by two > users. Both should have full access and new files created by one user should > still be fully accessible by the other. > I can't seem to be able to configure AСLs to get that. > > Let's say the users are user1 and user2. > The original directory is owned by user1: > $ ls -ld ~/testdir > drwxrwxr-x+ 22 user1 group0 26 9 Mar 13:01 /home/user1/testdir > > I then issue the following commands: > $ setfacl -b -m user:user1:rwxAWCo:fd:allow ~/testdir > $ setfacl -m user:user1::fd:deny ~/testdir Just in case, this deny entry is redundant, I added it only in attempt to fight ACL inheritance issue. > $ setfacl -m user:user2:rwxAWCo:fd:allow ~/testdir > $ setfacl -m user:user2::fd:deny ~/testdir Ditto. > $ getfacl ~/testdir > # file: /home/user1/testdir > # owner: user1 > # group: group0 > user:user2:--------------:fd----:deny > user:user2:rwx----A-W-Co-:fd----:allow > user:user1:--------------:fd----:deny > user:user1:rwx----A-W-Co-:fd----:allow > owner@:--------------:------:deny > owner@:rwxp---A-W-Co-:------:allow > group@:--------------:------:deny > group@:rwxp----------:------:allow > everyone@:-w-p---A-W-Co-:------:deny > everyone@:r-x---a-R-c--s:------:allow > > Then I create a new file as user1 like this (umask is set to 022): > $ touch ~/testdir/test > $ ls -ld ~/testdir/test > -rw-r--r--+ 1 user1 group0 0 9 Mar 13:01 /home/user1/testdir/test > $ getfacl ~/testdir/test > # file: /home/user1/testdir/test > # owner: user1 > # group: group0 > user:user2:--------------:------:deny > user:user2:-wx-----------:------:deny > user:user2:rwx----A-W----:------:allow > user:user1:--------------:------:deny > user:user1:--x-----------:------:deny > user:user1:rwx----A-W----:------:allow > owner@:--x-----------:------:deny > owner@:rw-p---A-W-Co-:------:allow > group@:-wxp----------:------:deny > group@:r-------------:------:allow > everyone@:-wxp---A-W-Co-:------:deny > everyone@:r-----a-R-c--s:------:allow > > > So now there two deny entries for both users and one of them makes sure that user2 > can not modify the file. > What am I doing wrong? :-) So, I totally missed aclmode and aclinherit properties of the ZFS filesystem in question. Apparently with their default values ACL permissions are also implicitly subjected to limitations by regular Unix permissions. More information on aclmode and aclinherit can be obtained from these links: http://docs.sun.com/app/docs/doc/819-5461/gbaaz?a=view http://docs.sun.com/app/docs/doc/819-5461/gbaax?a=view http://docs.sun.com/app/docs/doc/819-5461/ftyxi?a=view Summary: to get pure ACL behavior unaffected by Unix permissions both aclmode and aclinherit should be set to passthrough. With those settings I got ACL inheritance working as I originally expected. Access works as expected too. -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B9B80B3.5050002>