Date: Fri, 30 Apr 2010 16:27:55 -0700 From: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv> To: fs@freebsd.org Subject: 8-stable ZFS ACL (NFSv4): Access disallowed when it should be by inheritance Message-ID: <4BDB677B.5020205@ab.ote.we.lv>
next in thread | raw e-mail | index | archive | help
Greetings,
I am experimenting with NFSv4 ACLs on ZFS, and am baffled by the
following behavior:
--- BEGIN TRANSCRIPT ---
purple# uname -a
FreeBSD purple.the-7.net 8.0-STABLE FreeBSD 8.0-STABLE #1: Mon Mar 29
19:22:00 PDT 2010
ab@purple.the-7.net:/home/FreeBSD/build/RELENG_8/obj/home/FreeBSD/build/RELENG_8/src/sys/PURPLE
i386
purple# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
purple# ls -ld .
drwxr-xr-x 2 root wheel 2 Apr 30 16:15 .
purple# getfacl .
# file: .
# owner: root
# group: wheel
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
purple# setfacl -a0 user:ab:rwxpRWcs:fi:allow .
purple# getfacl .
# file: .
# owner: root
# group: wheel
user:ab:rwxp----RWc--s:f-i---:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
purple# touch root-f
purple# ls -ld root-f
-rw-r--r--+ 1 root wheel 0 Apr 30 16:16 root-f
purple# getfacl root-f
# file: root-f
# owner: root
# group: wheel
user:ab:-wxp----------:------:deny
user:ab:rwxp----RWc--s:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
purple# sudo -u ab cat root-f
purple# sudo -u ab touch root-f
touch: root-f: Permission denied
purple# sudo -u ab ./root-f
sudo: ./root-f: command not found
purple#
--- END TRANSCRIPT ---
The intention here is to allow read/write/append/execution of files
created under the current directory (root:wheel 0755). However, as seen
in the third getfacl output, the ACL of the created file (root-f)
contains not just the inherited ACE (user:ab:rwxpRWcs::allow) but also
another ACE (user:ab:wxp::deny) before the inherited ACE, which causes
the touch(1) and execution of the created file to fail.
Why does this happen?
Regards,
Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BDB677B.5020205>