From owner-freebsd-fs@FreeBSD.ORG  Sat Mar 13 12:10:30 2010
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6B4BE1065675
	for <freebsd-fs@FreeBSD.org>; Sat, 13 Mar 2010 12:10:30 +0000 (UTC)
	(envelope-from avg@icyb.net.ua)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
	by mx1.freebsd.org (Postfix) with ESMTP id A27BE8FC08
	for <freebsd-fs@FreeBSD.org>; Sat, 13 Mar 2010 12:10:29 +0000 (UTC)
Received: from porto.topspin.kiev.ua (porto-e.starpoint.kiev.ua
	[212.40.38.100])
	by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id OAA04437
	for <freebsd-fs@FreeBSD.org>; Sat, 13 Mar 2010 14:10:28 +0200 (EET)
	(envelope-from avg@icyb.net.ua)
Received: from localhost.topspin.kiev.ua ([127.0.0.1])
	by porto.topspin.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
	id 1NqQAl-0005CT-OP
	for freebsd-fs@FreeBSD.org; Sat, 13 Mar 2010 14:10:27 +0200
Message-ID: <4B9B80B3.5050002@icyb.net.ua>
Date: Sat, 13 Mar 2010 14:10:27 +0200
From: Andriy Gapon <avg@icyb.net.ua>
User-Agent: Thunderbird 2.0.0.23 (X11/20100211)
MIME-Version: 1.0
To: freebsd-fs@FreeBSD.org
References: <4B966925.1040609@icyb.net.ua>
In-Reply-To: <4B966925.1040609@icyb.net.ua>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: Re: ZFS ACL usage question [solved]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Mar 2010 12:10:30 -0000


I've got a resolution for the below issue thanks to the great help from Edward
Tomasz Napierala (trasz@).

on 09/03/2010 17:28 Andriy Gapon said the following:
> I have a usage question on ZFS ACL.
> Perhaps it's something trivial that should have been asked on questions@,
> apologies in that case.
> 
> Let's say for simplicity that I want some directory to be equally shared by two
> users.  Both should have full access and new files created by one user should
> still be fully accessible by the other.
> I can't seem to be able to configure AСLs to get that.
> 
> Let's say the users are user1 and user2.
> The original directory is owned by user1:
> $ ls -ld ~/testdir
> drwxrwxr-x+ 22 user1  group0  26  9 Mar 13:01 /home/user1/testdir
> 
> I then issue the following commands:
> $ setfacl -b -m user:user1:rwxAWCo:fd:allow ~/testdir
> $ setfacl -m user:user1::fd:deny ~/testdir

Just in case, this deny entry is redundant, I added it only in attempt to fight
ACL inheritance issue.

> $ setfacl -m user:user2:rwxAWCo:fd:allow ~/testdir
> $ setfacl -m user:user2::fd:deny ~/testdir

Ditto.

> $ getfacl ~/testdir
> # file: /home/user1/testdir
> # owner: user1
> # group: group0
>         user:user2:--------------:fd----:deny
>         user:user2:rwx----A-W-Co-:fd----:allow
>           user:user1:--------------:fd----:deny
>           user:user1:rwx----A-W-Co-:fd----:allow
>             owner@:--------------:------:deny
>             owner@:rwxp---A-W-Co-:------:allow
>             group@:--------------:------:deny
>             group@:rwxp----------:------:allow
>          everyone@:-w-p---A-W-Co-:------:deny
>          everyone@:r-x---a-R-c--s:------:allow
> 
> Then I create a new file as user1 like this (umask is set to 022):
> $ touch ~/testdir/test
> $ ls -ld ~/testdir/test
> -rw-r--r--+ 1 user1  group0  0  9 Mar 13:01 /home/user1/testdir/test
> $ getfacl ~/testdir/test
> # file: /home/user1/testdir/test
> # owner: user1
> # group: group0
>         user:user2:--------------:------:deny
>         user:user2:-wx-----------:------:deny
>         user:user2:rwx----A-W----:------:allow
>           user:user1:--------------:------:deny
>           user:user1:--x-----------:------:deny
>           user:user1:rwx----A-W----:------:allow
>             owner@:--x-----------:------:deny
>             owner@:rw-p---A-W-Co-:------:allow
>             group@:-wxp----------:------:deny
>             group@:r-------------:------:allow
>          everyone@:-wxp---A-W-Co-:------:deny
>          everyone@:r-----a-R-c--s:------:allow
> 
> 
> So now there two deny entries for both users and one of them makes sure that user2
> can not modify the file.
> What am I doing wrong? :-)

So, I totally missed aclmode and aclinherit properties of the ZFS filesystem in
question.  Apparently with their default values ACL permissions are also
implicitly subjected to limitations by regular Unix permissions.

More information on aclmode and aclinherit can be obtained from these links:
http://docs.sun.com/app/docs/doc/819-5461/gbaaz?a=view
http://docs.sun.com/app/docs/doc/819-5461/gbaax?a=view
http://docs.sun.com/app/docs/doc/819-5461/ftyxi?a=view

Summary: to get pure ACL behavior unaffected by Unix permissions both aclmode
and aclinherit should be set to passthrough.
With those settings I got ACL inheritance working as I originally expected.
Access works as expected too.

-- 
Andriy Gapon