From owner-freebsd-fs@FreeBSD.ORG  Sat Oct 12 00:22:16 2013
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id BB6F3104
 for <freebsd-fs@freebsd.org>; Sat, 12 Oct 2013 00:22:16 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca
 [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 7F42E2D73
 for <freebsd-fs@freebsd.org>; Sat, 12 Oct 2013 00:22:15 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqQEAEyVWFKDaFve/2dsb2JhbABagz9Sgym9aEuBN3SCJQEBAQMBAQEBIAQnIAsFFhgCAg0ZAikBCRgBDQYIBwQBGgIEh18GDKlokjeBKYxrBn80B4JqgTkDlCiBEoN6kFODQCAxewgXIg
X-IronPort-AV: E=Sophos;i="4.93,479,1378872000"; d="scan'208";a="58913073"
Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca)
 ([131.104.91.222])
 by esa-annu.net.uoguelph.ca with ESMTP; 11 Oct 2013 20:22:08 -0400
Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1])
 by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id AA5B2B3F47;
 Fri, 11 Oct 2013 20:22:08 -0400 (EDT)
Date: Fri, 11 Oct 2013 20:22:08 -0400 (EDT)
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "Prokofiev S.P." <proks@skylinetele.com>
Message-ID: <317463358.40289383.1381537328684.JavaMail.root@uoguelph.ca>
In-Reply-To: <5258018D.2040301@skylinetele.com>
Subject: Re: Mapping POSIX ACLs to NFSv4 ACLs for Samba storage
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.17.91.202]
X-Mailer: Zimbra 7.2.1_GA_2790 (ZimbraWebClient - FF3.0 (Win)/7.2.1_GA_2790)
Cc: freebsd-fs@freebsd.org
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2013 00:22:16 -0000

Prokofiev S.P. wrote:
> Hi all,
> 
> I propose to talk about an issue. I have a task of moving data from
> UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But
> only
> owner/owner_group is saved. I've written a Perl script to translate
> POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it
> (http://tools.ietf.org/html/draft-iet...acl-mapping-05
> <http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05>) to
> emulate
> POSIX behaviour of permissions. I got something like that, for
> instance:
> 
It probably isn't of much help to you, but eventually the NFSv4
working group realized that mapping between POSIX<->NFSv4 ACLs
wasn't possible. Those drafts were just failed attempts.

Also, if you are going to put all deny ACEs before all allow
ACEs, then the deny ACEs must not specify anything that is
allowed by the allow ACEs. (I suspect you already know, but
the NFSv4 ACL is evaluated by testing each ACE in order and
any match for a deny ACE denies access and any matching allow ACE
allows access. As such, re-ordering ACEs in the ACL changes
the ACL's semantics.)

Good luck with this. I do not believe there is a correct solution
in general, so all you can hope for is a simple translation
that captures enough semantics for your application.

rick

> Source directory on UFS:
> Code:
> 
> > getfacl  /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
> # owner: 10051
> # group: 513
> user::rwx
> user:10015:r-x
> user:10049:r-x
> user:10072:rwx
> group::---
> group:544:rwx
> group:10008:rwx
> group:10131:r-x
> mask::rwx
> other::---
> 
> > getfacl  -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
> # owner: 10051
> # group: 513
> user::rwx
> user:10015:r-x
> user:10049:r-x
> user:10072:rwx
> group::---
> group:544:rwx
> group:10008:rwx
> group:10131:r-x
> mask::rwx
> other::---
> 
> Target directory on ZFS:
> Code:
> 
> # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
> # owner: 10051
> # group: 513
>                owner@:--------------:fd----:deny
>                owner@:rwxpD-aA--cC-s:fd----:allow
>          user:10015:-w-p---A---C--:fd----:deny
>          user:10015:r-x---a---c--s:fd----:allow
>          user:10049:-w-p---A---C--:fd----:deny
>          user:10049:r-x---a---c--s:fd----:allow
>          user:10072:-------A---C--:fd----:deny
>          user:10072:rwxpD-a---c--s:fd----:allow
>                group@:------a---c--s:fd----:allow
>       group:10008:rwxpD-a---c--s:fd----:allow
>           group:544:rwxpD-a---c--s:fd----:allow
>       group:10131:r-x---a---c--s:fd----:allow
>                group@:rwxp---A---C--:fd----:deny
>       group:10008:-------A---C--:fd----:deny
>           group:544:-------A---C--:fd----:deny
>       group:10131:-w-p---A---C--:fd----:deny
>          everyone@:rwxp---A---C--:fd----:deny
>          everyone@:------a---c--s:fd----:allow
> 
> I was happy, but Windows made me sad. When I tried to look at
> permissions of a file or a directory with a Windows file browser I
> had
> warning about ordering of permissions. Then I tried to edit
> permissions
> and allowed reordering and got this result of that:
> 
> Code:
> 
> getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
> # owner: 10051
> # group: 513
>          user:10015:-w-pD--A---C--:fd----:deny
>          user:10049:-w-pD--A---C--:fd----:deny
>          user:10072:-------A---C--:fd----:deny
>                group@:rwxpD--A---C--:fd----:deny
>       group:10008:-------A---C--:fd----:deny
>            group:544:-------A---C--:fd----:deny
>       group:10131:-w-pD--A---C--:fd----:deny
>          everyone@:rwxpD--A---C--:fd----:deny    <<<<<<<<<
>               owner@:rwxpD-aA--cC--:fd----:allow
>         user:10015:r-x---a---c---:fd----:allow
>         user:10049:r-x---a---c---:fd----:allow
>         user:10072:rwxpD-a---c---:fd----:allow
>               group@:------a---c---:fd----:allow
>      group:10008:rwxpD-a---c---:fd----:allow
>           group:544:rwxpD-a---c---:fd----:allow
>       group:10131:r-x---a---c---:fd----:allow
>           everyone@:------a---c---:fd----:allow
> 
> But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny).
> It's a mess. As it turned out according to
> http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
> <http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298%28v=vs.85%29.aspx>
> it's a rule of ordering of Windows permissions.
> 
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
>