Date: Thu, 3 Jan 2013 15:38:38 GMT From: Sandra <littlesandra88@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/174948: owner@ always have ZFS ACL full permissions. Should not be the case. Message-ID: <201301031538.r03FccYc007033@red.freebsd.org> Resent-Message-ID: <201301031540.r03Fe1vx055858@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 174948 >Category: misc >Synopsis: owner@ always have ZFS ACL full permissions. Should not be the case. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 03 15:40:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Sandra >Release: 9 >Organization: >Environment: >Description: The Oracle ZFS specs says http://docs.oracle.com/cd/E19253-01/819-5461/ftyxi/index.html "The owner of a file is granted the write_acl permission unconditionally, even if the permission is explicitly denied." But it is not possible to restrict the owner in any way. The following is the output from the script in "How to repeat the problem", which shows that removing all ACL's on owner@ have no effect. p="/tank/project1" f="$p/test2" u="user1" rm -f $f setfacl -b $p setfacl -m group@::fd:allow $p || exit 1 setfacl -m everyone@::fd:allow $p || exit 1 setfacl -m owner@::fd:allow $p || exit 1 setfacl -m u:$u:rwx:fd:allow $p || exit 1 setfacl -m u:$u:aA:fd:deny $p || exit 1 getfacl $p # file: /tank/project1 # owner: root # group: wheel user:user1:------aA------:fd----:deny user:user1:rwx-----------:fd----:allow owner@:--------------:fd----:allow group@:--------------:fd----:allow everyone@:--------------:fd----:allow su -m $u -c "echo test > $f" setfacl -m u:$u::allow $f || exit 1 getfacl $f # file: /tank/project1/test2 # owner: user1 # group: wheel user:user1:------aA------:------:deny user:user1:--------------:------:allow owner@:--------------:------:allow group@:--------------:------:allow everyone@:--------------:------:allow su -m $u -c "touch -amct 191212121212 $f" ls -l $f ----------+ 1 user1 wheel 5 Dec 12 1912 /tank/project1/test2 su -m $u -c "cat $f" cat: /tank/project1/test2: Permission denied su -m $u -c "chmod 777 $f" ls -l $f -rwxrwxrwx+ 1 user1 wheel 5 Dec 12 1912 /tank/project1/test2 su -m $u -c "cat $f" test su -m $u -c "setfacl -m u:$u:full_set:allow $f" su -m $u -c "setfacl -x u:$u::deny $f" getfacl $f # file: /tank/project1/test2 # owner: user1 # group: wheel user:user1:rwxpDdaARWcCos:------:allow owner@:rwxp--aARWcCos:------:allow group@:rwxp--a-R-c--s:------:allow everyone@:rwxp--a-R-c--s:------:allow >How-To-Repeat: p="/tank/project1" f="$p/test2" u="user1" rm -f $f setfacl -b $p setfacl -m group@::fd:allow $p || exit 1 setfacl -m everyone@::fd:allow $p || exit 1 setfacl -m owner@::fd:allow $p || exit 1 setfacl -m u:$u:rwx:fd:allow $p || exit 1 setfacl -m u:$u:aA:fd:deny $p || exit 1 getfacl $p su -m $u -c "echo test > $f" setfacl -m u:$u::allow $f || exit 1 getfacl $f su -m $u -c "touch -amct 191212121212 $f" ls -l $f su -m $u -c "cat $f" su -m $u -c "chmod 777 $f" ls -l $f su -m $u -c "cat $f" su -m $u -c "setfacl -m u:$u:full_set:allow $f" su -m $u -c "setfacl -x u:$u::deny $f" getfacl $f >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301031538.r03FccYc007033>