From owner-freebsd-fs@FreeBSD.ORG Wed Jun 13 14:23:14 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1ED371065689 for ; Wed, 13 Jun 2012 14:23:14 +0000 (UTC) (envelope-from marc@mpeters.org) Received: from mail.mpeters.org (mail.mpeters.org [78.46.104.142]) by mx1.freebsd.org (Postfix) with ESMTP id 9ADB78FC08 for ; Wed, 13 Jun 2012 14:23:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.mpeters.org (Postfix) with ESMTP id BF79113203D for ; Wed, 13 Jun 2012 16:23:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at mpeters.org Received: from mail.mpeters.org ([127.0.0.1]) by localhost (mail.mpeters.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKs7QgGbTyU1 for ; Wed, 13 Jun 2012 16:23:04 +0200 (CEST) Received: from [192.168.0.204] (unknown [62.159.86.18]) by mail.mpeters.org (Postfix) with ESMTPSA id 9EDC2132038 for ; Wed, 13 Jun 2012 16:23:04 +0200 (CEST) Message-ID: <4FD8A246.9060901@mpeters.org> Date: Wed, 13 Jun 2012 16:23:02 +0200 From: Marc Peters User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120513 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-fs@freebsd.org References: <4FD74858.6070705@mpeters.org> <20120612164206.6a573136@fabiankeil.de> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: ZFS deletes ACLs when root edits a file X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2012 14:23:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/12/2012 09:15 PM, Andrew Leonard wrote: > On Tue, Jun 12, 2012 at 7:42 AM, Fabian Keil > wrote: > >> Marc Peters wrote: >> >>> i observed a strange behaviour when using ACLs on a ZFS >>> filesystem. When a file has ACLs set and is edited by a user, >>> the ACLs get lost when the file is edited and saved. >>> >>> How to repeat: >>> >>>> mount >>> /dev/aacd0s1a on / (ufs, local) devfs on /dev (devfs, local, >>> multilabel) /dev/aacd0s1d on /var (ufs, local, soft-updates) >>> appdata on /appdata (zfs, local, nfsv4acls) /dev/md0 on >>> /appdata/www/cache (ufs, local, soft-updates) >>> >>>> ls -al >>> total 3 drwxr-xr-x 2 mpeters wheel 2 Jun 12 15:31 . >>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. >>>> touch test.file ls -al >>> total 4 drwxr-xr-x 2 mpeters wheel 3 Jun 12 15:32 . >>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. - -rw-r--r-- 1 >>> mpeters wheel 0 Jun 12 15:32 test.file >>>> getfacl test.file >>> # file: test.file # owner: mpeters # group: wheel >>> owner@:rw-p--aARWcCos:------:allow >>> group@:r-----a-R-c--s:------:allow >>> everyone@:r-----a-R-c--s:------:allow >>>> setfacl -m user:nobody:rwx::allow test.file ls -al >>> total 4 drwxr-xr-x 2 mpeters wheel 3 Jun 12 15:32 . >>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. - -rw-r--r--+ 1 >>> mpeters wheel 0 Jun 12 15:32 test.file >>>> getfacl test.file >>> # file: test.file # owner: mpeters # group: wheel >>> user:nobody:rwx-----------:------:allow >>> owner@:rw-p--aARWcCos:------:allow >>> group@:r-----a-R-c--s:------:allow >>> everyone@:r-----a-R-c--s:------:allow >>>> vim test.file >>> (do some editing here) "test.file" 2 lines, 12 characters >>> written >>>> ls -al >>> total 4 drwxr-xr-x 2 mpeters wheel 3 Jun 12 15:35 . >>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. - -rw-r--r-- >>> 1 mpeters wheel 12 Jun 12 15:35 test.file >>>> getfacl test.file >>> # file: test.file # owner: mpeters # group: wheel >>> owner@:rw-p--aARWcCos:------:allow >>> group@:r-----a-R-c--s:------:allow >>> everyone@:r-----a-R-c--s:------:allow >>> >>> As you can see, the ACL for user nobody is gone. >>> >>> Is this behaviour intended? >> >> It is expected if vim replaced the original test.file with a >> modified file with the same name, instead of actually editing the >> original file directly. >> >> To confirm that this is happening you could truss vim or run "ls >> -i test.file" before and after using vim (this is probably less >> reliable, though). >> >> The ACLs shouldn't get lost if you really modify the original, >> for example with: >> >> echo blafasel >> test.file > > Also, take a look at what you have the aclmode property set to on > the ZFS file system. If you have it set to "discard" and if vim > makes a chmod(2) call on the original file, then the ACL entries > that do not represent the mode of the file will be discarded. > > -Andy > >> Fabian Thank you Andrew and Fabian. As discussed a little off list, the inheritance was the cuelprit, as already is stated in the FAQ: FAQ Q: Inheritance doesn't work the way I expect; access is denied while it shouldn't be. A: Set "aclmode=passthrough" and "aclinherit=passthrough" ZFS properties. For UFS, you're out of luck, I'm afraid; there is no way to change the behaviour there. Sorry for the noise. marc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/YokYACgkQCnBgS+kUGEtHmQCfZdxsqM4kbdU8ug15/Kgs0wHf /mQAnilUmxAPnJokeNKpUVHLXtJqp45O =u3As -----END PGP SIGNATURE-----