Date: Fri, 11 Oct 2013 16:47:57 +0300 From: "Prokofiev S.P." <proks@skylinetele.com> To: freebsd-fs@freebsd.org Subject: Mapping POSIX ACLs to NFSv4 ACLs for Samba storage Message-ID: <5258018D.2040301@skylinetele.com>
next in thread | raw e-mail | index | archive | help
Hi all, I propose to talk about an issue. I have a task of moving data from UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But only owner/owner_group is saved. I've written a Perl script to translate POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it (http://tools.ietf.org/html/draft-iet...acl-mapping-05 <http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05>) to emulate POSIX behaviour of permissions. I got something like that, for instance: Source directory on UFS: Code: > getfacl /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 user::rwx user:10015:r-x user:10049:r-x user:10072:rwx group::--- group:544:rwx group:10008:rwx group:10131:r-x mask::rwx other::--- > getfacl -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 user::rwx user:10015:r-x user:10049:r-x user:10072:rwx group::--- group:544:rwx group:10008:rwx group:10131:r-x mask::rwx other::--- Target directory on ZFS: Code: # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 owner@:--------------:fd----:deny owner@:rwxpD-aA--cC-s:fd----:allow user:10015:-w-p---A---C--:fd----:deny user:10015:r-x---a---c--s:fd----:allow user:10049:-w-p---A---C--:fd----:deny user:10049:r-x---a---c--s:fd----:allow user:10072:-------A---C--:fd----:deny user:10072:rwxpD-a---c--s:fd----:allow group@:------a---c--s:fd----:allow group:10008:rwxpD-a---c--s:fd----:allow group:544:rwxpD-a---c--s:fd----:allow group:10131:r-x---a---c--s:fd----:allow group@:rwxp---A---C--:fd----:deny group:10008:-------A---C--:fd----:deny group:544:-------A---C--:fd----:deny group:10131:-w-p---A---C--:fd----:deny everyone@:rwxp---A---C--:fd----:deny everyone@:------a---c--s:fd----:allow I was happy, but Windows made me sad. When I tried to look at permissions of a file or a directory with a Windows file browser I had warning about ordering of permissions. Then I tried to edit permissions and allowed reordering and got this result of that: Code: getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 user:10015:-w-pD--A---C--:fd----:deny user:10049:-w-pD--A---C--:fd----:deny user:10072:-------A---C--:fd----:deny group@:rwxpD--A---C--:fd----:deny group:10008:-------A---C--:fd----:deny group:544:-------A---C--:fd----:deny group:10131:-w-pD--A---C--:fd----:deny everyone@:rwxpD--A---C--:fd----:deny <<<<<<<<< owner@:rwxpD-aA--cC--:fd----:allow user:10015:r-x---a---c---:fd----:allow user:10049:r-x---a---c---:fd----:allow user:10072:rwxpD-a---c---:fd----:allow group@:------a---c---:fd----:allow group:10008:rwxpD-a---c---:fd----:allow group:544:rwxpD-a---c---:fd----:allow group:10131:r-x---a---c---:fd----:allow everyone@:------a---c---:fd----:allow But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). It's a mess. As it turned out according to http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx <http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298%28v=vs.85%29.aspx>; it's a rule of ordering of Windows permissions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5258018D.2040301>