From owner-freebsd-questions@FreeBSD.ORG Thu Aug 30 23:50:04 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E5501065673; Thu, 30 Aug 2012 23:50:04 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (hydra.dawnsign.com [69.198.101.212]) by mx1.freebsd.org (Postfix) with ESMTP id E7BB38FC0A; Thu, 30 Aug 2012 23:50:03 +0000 (UTC) Received: from mailfilter.dawnsign.com (localhost [127.0.0.1]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 7D72595D5A; Thu, 30 Aug 2012 16:42:55 -0700 (PDT) Received: from Draco.dawnsign.com (draco.dawnsign.com [192.168.101.33]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 1899895D32; Thu, 30 Aug 2012 16:42:54 -0700 (PDT) Received: from DRACO.dawnsign.com ([fe80::6062:7fef:2376:a729]) by Draco.dawnsign.com ([fe80::6062:7fef:2376:a729%10]) with mapi id 14.01.0379.000; Thu, 30 Aug 2012 16:42:54 -0700 From: Doug Sampson To: "freebsd-questions@freebsd.org" , "'trasz@freebsd.org'" Thread-Topic: NFSv4 ACL permissions setting Thread-Index: Ac2HCSZAAjTVzuZmTtKA54+RytNrQw== Date: Thu, 30 Aug 2012 23:42:54 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.101.149] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Cc: Subject: NFSv4 ACL permissions setting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2012 23:50:04 -0000 Hello all- I've set up ZFS on a FreeBSD 9.0 64-bit server recently. One of the things = I've had to learn relates to NFSv4 ACLs. I've developed two scripts to rese= t permissions- one for files and the other for folders. I've run into an is= sue with executing a script to set permissions on a bunch of folders. The root filesystem is /data. There are a bunch of subfolders followed by m= ore subfolders. Allow me to demonstrate as follows: dougs@dorado:/# getfacl ./data # file: ./data # owner: root # group: DSP-production group:DSP-production:rwxpDdaARWcCos:fd----:allow group:DSP-marketing:rwxpDdaARWcCos:fd----:allow owner@:rwxpDdaARWcCos:fd----:allow group@:rwxpDdaARWcCos:fd----:allow everyone@:r-x---a-R-c--s:------:allow dougs@dorado:/# cd data dougs@dorado:/data# ll total 45 drwxrwx---+ 5 root DSP-production 5 Aug 28 10:27 ADS-New drwxrwx---+ 60 root DSP-production 118 Aug 27 14:17 ADS-OLD [ .. snip .. ] drwxrwx---+ 12 root DSP-production 12 Aug 27 14:16 WorkinProgress dougs@dorado:/data# getfacl ./ADS-New/ # file: ./ADS-New/ # owner: root # group: DSP-production group:DSP-production:rwxpDdaARWcCos:fd----:allow group:DSP-marketing:rwxpDdaARWcCos:fd----:allow owner@:rwxpDdaARWcCos:fd----:allow group@:rwxpDdaARWcCos:fd----:allow everyone@:------a-R-c--s:------:allow dougs@dorado:/data# cd ./ADS-New/ dougs@dorado:/data/ADS-New# ll total 9 drwxrwx---+ 5 root nobody 7 Aug 27 14:20 Artworks drwxrwx---+ 4 root nobody 4 Jul 17 12:12 ForDSP drwxrwx---+ 78 root nobody 78 Jul 23 13:17 ForMarketing dougs@dorado:/data/ADS-New# /root/bin/reset-perms-prod-mkt-dirs.sh dougs@dorado:/data/ADS-New# getfacl ./Artworks/ # file: ./Artworks/ # owner: root # group: nobody group:DSP-production:rwxpDdaARWcCos:fd----:allow <<<<<----- group:DSP-production:rwxpDdaARWcCos:fd----:allow <<<<<----- group:DSP-marketing:rwxpDdaARWcCos:fd----:allow owner@:rwxpDdaARWcCos:fd----:allow group@:rwxpDdaARWcCos:fd----:allow everyone@:------a-R-c--s:------:allow dougs@dorado:/data/ADS-New# cd Artworks/ dougs@dorado:/data/ADS-New/Artworks# ll total 4234 drwxrwx---+ 2 root nobody 2 Jul 17 12:08 Ask JoeS drwxrwx---+ 2 root nobody 10 Jul 17 12:12 Cool - AD d-w-rwx---+ 2 DSP-alfredo nobody 2 Aug 27 14:20 Jaye Additi= onal Art -rwxrwx---+ 1 root DSP-production 3770445 Mar 11 2010 comingsoonI= ntNepal.pdf -rwxrwx---+ 1 root DSP-production 415338 Mar 11 2010 previewcopy= .pdf dougs@dorado:/data/ADS-New/Artworks# cd Ask\ JoeS/ dougs@dorado:/data/ADS-New/Artworks/Ask JoeS# cd .. dougs@dorado:/data/ADS-New/Artworks# getfacl Ask\ JoeS/ # file: Ask JoeS/ # owner: root # group: nobody group:DSP-production:rwxpDdaARWcCos:fd----:allow <<<<<----- group:DSP-marketing:rwxpDdaARWcCos:fd----:allow owner@:rwxpDdaARWcCos:fd----:allow group@:rwxpDdaARWcCos:fd----:allow everyone@:------a-R-c--s:------:allow dougs@dorado:/data/ADS-New/Artworks# As you can see, the ADS-New folder where I executed the script shows duplic= ate entries of the DSP-production group whereas the "Ask Joe" subfolder und= erneath the ADS-New folder shows only one DSP-production group. If I run th= is script on the ADS-OLD folder, I see the same effect- only the first leve= l of subfolders get duplicate DSP-production entries while the rest of the = subfolders only contain one entry of the DSP-production group. Why is this = happening? The contents of the /root/bin/reset-perms-prod-mkt-dirs.sh is as follows: #!/bin/sh # run this script where you wish to effect the changes # reset perms to default find . -type d -print0 | xargs -0 setfacl -b * # apply perms to files find . -type d -print0 | xargs -0 setfacl -m group@:full_set:fd:allow * find . -type d -print0 | xargs -0 setfacl -m owner@:full_set:fd:allow * find . -type d -print0 | xargs -0 setfacl -m g:dsp-marketing:full_set:fd:al= low * find . -type d -print0 | xargs -0 setfacl -m g:dsp-production:full_set:fd:a= llow * Um? Am I missing something? ~Doug