Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Apr 2017 11:07:20 -0700
From:      Chris Stankevitz <chris-freebsd-fs@stankevitz.com>
To:        freebsd-fs@freebsd.org
Subject:   ZFS ACL Inheritance: umask and canonical ACEs
Message-ID:  <5aaf7f68-d099-c72a-c396-82b6597e7e01@stankevitz.com>

next in thread | raw e-mail | index | archive | help
Hi,

Questions (detail appears later):

1. Why wasn't my "inherited" ACE faithfully inherited?  Namely, the 
so-called inherited ACE does not have "rwxp--aARWcCos".  Clearly the way 
inheritance works is a function of the shell's umask (or in my real 
scenario -- Samba's umask).  I would like for inherited ACEs to not be a 
function of umask.

2. How do I tell ZFS/ACL that I do not want owner@, group@, or 
everything@ ACEs created unless explicitly requested by setfacl?  I do 
not want "extra" ACEs to appear on files I create within a particular 
directory -- even these "canonical" ACEs.

3. Bonus question: why does 'man setfacl' reference six canonical ACEs 
but there are only 3 (owner@, group@, everyone@)?

Thank you,

Chris

PS: I am using aclmode=passthrough and aclinherit=passthrough

=====

I have a directory with this ACL:

# file .
# owner: cstankevitz
# group: cstankevitz
  group:cstankevitz:rwxp--aARWcCos:fd-----:allow


Note that I have removed owner@, group@, and everyone@ ACEs.  Also 
notice that the single ACE allows rwxp--aARWcCos access to cstankevitz 
and that it is supposed to be inherited.

Inside this directory, I do this:

umask 000
touch bar.txt
getfacl bar.txt

# file: bar.txt
# owner: cstankevitz
# group: cstankevitz
  group:cstankevitz:rw-p--a-R-c--s:------I:allow
             owner@:rw-p--aARWcCos:-------:allow
             group@:rw-p--a-R-c--s:-------:allow
          everyone@:rw-p--a-R-c--s:-------:allow

umask 777
touch foo.txt
getfacl foo.txt

# file: foo.txt
# owner: cstankevitz
# group: cstankevitz
  group:cstankevitz:------a-R-c--s:------I:allow
             owner@:------aARWcCos:-------:allow
             group@:------a-R-c--s:-------:allow
          everyone@:------a-R-c--s:-------:allow



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5aaf7f68-d099-c72a-c396-82b6597e7e01>