From owner-freebsd-fs@FreeBSD.ORG Tue Mar 9 15:28:39 2010 Return-Path: <owner-freebsd-fs@FreeBSD.ORG> Delivered-To: freebsd-fs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF04F1065672 for <freebsd-fs@FreeBSD.org>; Tue, 9 Mar 2010 15:28:39 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 31A528FC14 for <freebsd-fs@FreeBSD.org>; Tue, 9 Mar 2010 15:28:38 +0000 (UTC) Received: from odyssey.starpoint.kiev.ua (alpha-e.starpoint.kiev.ua [212.40.38.101]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id RAA27204 for <freebsd-fs@FreeBSD.org>; Tue, 09 Mar 2010 17:28:37 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <4B966925.1040609@icyb.net.ua> Date: Tue, 09 Mar 2010 17:28:37 +0200 From: Andriy Gapon <avg@icyb.net.ua> User-Agent: Thunderbird 2.0.0.23 (X11/20100211) MIME-Version: 1.0 To: freebsd-fs@FreeBSD.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: ZFS ACL usage question X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems <freebsd-fs.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>, <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs> List-Post: <mailto:freebsd-fs@freebsd.org> List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>, <mailto:freebsd-fs-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 09 Mar 2010 15:28:40 -0000 I have a usage question on ZFS ACL. Perhaps it's something trivial that should have been asked on questions@, apologies in that case. Let's say for simplicity that I want some directory to be equally shared by two users. Both should have full access and new files created by one user should still be fully accessible by the other. I can't seem to be able to configure AСLs to get that. Let's say the users are user1 and user2. The original directory is owned by user1: $ ls -ld ~/testdir drwxrwxr-x+ 22 user1 group0 26 9 Mar 13:01 /home/user1/testdir I then issue the following commands: $ setfacl -b -m user:user1:rwxAWCo:fd:allow ~/testdir $ setfacl -m user:user1::fd:deny ~/testdir $ setfacl -m user:user2:rwxAWCo:fd:allow ~/testdir $ setfacl -m user:user2::fd:deny ~/testdir $ getfacl ~/testdir # file: /home/user1/testdir # owner: user1 # group: group0 user:user2:--------------:fd----:deny user:user2:rwx----A-W-Co-:fd----:allow user:user1:--------------:fd----:deny user:user1:rwx----A-W-Co-:fd----:allow owner@:--------------:------:deny owner@:rwxp---A-W-Co-:------:allow group@:--------------:------:deny group@:rwxp----------:------:allow everyone@:-w-p---A-W-Co-:------:deny everyone@:r-x---a-R-c--s:------:allow Then I create a new file as user1 like this (umask is set to 022): $ touch ~/testdir/test $ ls -ld ~/testdir/test -rw-r--r--+ 1 user1 group0 0 9 Mar 13:01 /home/user1/testdir/test $ getfacl ~/testdir/test # file: /home/user1/testdir/test # owner: user1 # group: group0 user:user2:--------------:------:deny user:user2:-wx-----------:------:deny user:user2:rwx----A-W----:------:allow user:user1:--------------:------:deny user:user1:--x-----------:------:deny user:user1:rwx----A-W----:------:allow owner@:--x-----------:------:deny owner@:rw-p---A-W-Co-:------:allow group@:-wxp----------:------:deny group@:r-------------:------:allow everyone@:-wxp---A-W-Co-:------:deny everyone@:r-----a-R-c--s:------:allow So now there two deny entries for both users and one of them makes sure that user2 can not modify the file. What am I doing wrong? :-) -- Andriy Gapon