From owner-freebsd-fs@FreeBSD.ORG  Tue Mar  9 15:28:39 2010
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DF04F1065672
	for <freebsd-fs@FreeBSD.org>; Tue,  9 Mar 2010 15:28:39 +0000 (UTC)
	(envelope-from avg@icyb.net.ua)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
	by mx1.freebsd.org (Postfix) with ESMTP id 31A528FC14
	for <freebsd-fs@FreeBSD.org>; Tue,  9 Mar 2010 15:28:38 +0000 (UTC)
Received: from odyssey.starpoint.kiev.ua (alpha-e.starpoint.kiev.ua
	[212.40.38.101])
	by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id RAA27204
	for <freebsd-fs@FreeBSD.org>; Tue, 09 Mar 2010 17:28:37 +0200 (EET)
	(envelope-from avg@icyb.net.ua)
Message-ID: <4B966925.1040609@icyb.net.ua>
Date: Tue, 09 Mar 2010 17:28:37 +0200
From: Andriy Gapon <avg@icyb.net.ua>
User-Agent: Thunderbird 2.0.0.23 (X11/20100211)
MIME-Version: 1.0
To: freebsd-fs@FreeBSD.org
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: ZFS ACL usage question
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2010 15:28:40 -0000


I have a usage question on ZFS ACL.
Perhaps it's something trivial that should have been asked on questions@,
apologies in that case.

Let's say for simplicity that I want some directory to be equally shared by two
users.  Both should have full access and new files created by one user should
still be fully accessible by the other.
I can't seem to be able to configure AСLs to get that.

Let's say the users are user1 and user2.
The original directory is owned by user1:
$ ls -ld ~/testdir
drwxrwxr-x+ 22 user1  group0  26  9 Mar 13:01 /home/user1/testdir

I then issue the following commands:
$ setfacl -b -m user:user1:rwxAWCo:fd:allow ~/testdir
$ setfacl -m user:user1::fd:deny ~/testdir
$ setfacl -m user:user2:rwxAWCo:fd:allow ~/testdir
$ setfacl -m user:user2::fd:deny ~/testdir
$ getfacl ~/testdir
# file: /home/user1/testdir
# owner: user1
# group: group0
        user:user2:--------------:fd----:deny
        user:user2:rwx----A-W-Co-:fd----:allow
          user:user1:--------------:fd----:deny
          user:user1:rwx----A-W-Co-:fd----:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:------:deny
            group@:rwxp----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

Then I create a new file as user1 like this (umask is set to 022):
$ touch ~/testdir/test
$ ls -ld ~/testdir/test
-rw-r--r--+ 1 user1  group0  0  9 Mar 13:01 /home/user1/testdir/test
$ getfacl ~/testdir/test
# file: /home/user1/testdir/test
# owner: user1
# group: group0
        user:user2:--------------:------:deny
        user:user2:-wx-----------:------:deny
        user:user2:rwx----A-W----:------:allow
          user:user1:--------------:------:deny
          user:user1:--x-----------:------:deny
          user:user1:rwx----A-W----:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow


So now there two deny entries for both users and one of them makes sure that user2
can not modify the file.
What am I doing wrong? :-)

-- 
Andriy Gapon