From owner-freebsd-fs@FreeBSD.ORG  Fri Apr 30 23:43:59 2010
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CD1E71065670
	for <fs@freebsd.org>; Fri, 30 Apr 2010 23:43:59 +0000 (UTC)
	(envelope-from 20080111.freebsd.org@ab.ote.we.lv)
Received: from mx2.nttmcl.com (MX2.nttmcl.com [216.69.68.200])
	by mx1.freebsd.org (Postfix) with ESMTP id AF11F8FC1E
	for <fs@freebsd.org>; Fri, 30 Apr 2010 23:43:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mx2.nttmcl.com (Postfix) with ESMTP id 672204DD9E
	for <fs@freebsd.org>; Fri, 30 Apr 2010 16:28:40 -0700 (PDT)
X-Spam-Flag: NO
X-Spam-Score: -0.741
X-Spam-Level: 
X-Spam-Status: No, score=-0.741 tagged_above=-999 required=5
	tests=[ALL_TRUSTED=-1.8, AWL=-2.159, BAYES_00=-2.599,
	DNS_FROM_OPENWHOIS=1.13, FH_DATE_PAST_20XX=3.188,
	FROM_STARTS_WITH_NUMS=1.499] autolearn=no
Received: from mx2.nttmcl.com ([127.0.0.1])
	by localhost (mx2.nttmcl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id IoxJnwm5zofb for <fs@freebsd.org>;
	Fri, 30 Apr 2010 16:28:40 -0700 (PDT)
Received: from [216.69.70.67] (v6dhcp67.nttmcl.com [216.69.70.67])
	by mx2.nttmcl.com (Postfix) with ESMTPS id F2C8D4DD89
	for <fs@freebsd.org>; Fri, 30 Apr 2010 16:28:39 -0700 (PDT)
Message-ID: <4BDB677B.5020205@ab.ote.we.lv>
Date: Fri, 30 Apr 2010 16:27:55 -0700
From: "Eugene M. Kim" <20080111.freebsd.org@ab.ote.we.lv>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
	rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: fs@freebsd.org
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: 
Subject: 8-stable ZFS ACL (NFSv4): Access disallowed when it should be by
 inheritance
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 23:43:59 -0000

Greetings,

I am experimenting with NFSv4 ACLs on ZFS, and am baffled by the
following behavior:

--- BEGIN TRANSCRIPT ---
purple# uname -a
FreeBSD purple.the-7.net 8.0-STABLE FreeBSD 8.0-STABLE #1: Mon Mar 29
19:22:00 PDT 2010    
ab@purple.the-7.net:/home/FreeBSD/build/RELENG_8/obj/home/FreeBSD/build/RELENG_8/src/sys/PURPLE 
i386
purple# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
purple# ls -ld .
drwxr-xr-x  2 root  wheel  2 Apr 30 16:15 .
purple# getfacl .
# file: .
# owner: root
# group: wheel
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
purple# setfacl -a0 user:ab:rwxpRWcs:fi:allow .
purple# getfacl .
# file: .
# owner: root
# group: wheel
           user:ab:rwxp----RWc--s:f-i---:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
purple# touch root-f
purple# ls -ld root-f
-rw-r--r--+ 1 root  wheel  0 Apr 30 16:16 root-f
purple# getfacl root-f
# file: root-f
# owner: root
# group: wheel
           user:ab:-wxp----------:------:deny
           user:ab:rwxp----RWc--s:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow
purple# sudo -u ab cat root-f
purple# sudo -u ab touch root-f
touch: root-f: Permission denied
purple# sudo -u ab ./root-f
sudo: ./root-f: command not found
purple#
--- END TRANSCRIPT ---

The intention here is to allow read/write/append/execution of files
created under the current directory (root:wheel 0755).  However, as seen
in the third getfacl output, the ACL of the created file (root-f)
contains not just the inherited ACE (user:ab:rwxpRWcs::allow) but also
another ACE (user:ab:wxp::deny) before the inherited ACE, which causes
the touch(1) and execution of the created file to fail.

Why does this happen?

Regards,
Eugene