Date: Fri, 11 Oct 2013 20:22:08 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: "Prokofiev S.P." <proks@skylinetele.com> Cc: freebsd-fs@freebsd.org Subject: Re: Mapping POSIX ACLs to NFSv4 ACLs for Samba storage Message-ID: <317463358.40289383.1381537328684.JavaMail.root@uoguelph.ca> In-Reply-To: <5258018D.2040301@skylinetele.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Prokofiev S.P. wrote: > Hi all, > > I propose to talk about an issue. I have a task of moving data from > UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But > only > owner/owner_group is saved. I've written a Perl script to translate > POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it > (http://tools.ietf.org/html/draft-iet...acl-mapping-05 > <http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05>) to > emulate > POSIX behaviour of permissions. I got something like that, for > instance: > It probably isn't of much help to you, but eventually the NFSv4 working group realized that mapping between POSIX<->NFSv4 ACLs wasn't possible. Those drafts were just failed attempts. Also, if you are going to put all deny ACEs before all allow ACEs, then the deny ACEs must not specify anything that is allowed by the allow ACEs. (I suspect you already know, but the NFSv4 ACL is evaluated by testing each ACE in order and any match for a deny ACE denies access and any matching allow ACE allows access. As such, re-ordering ACEs in the ACL changes the ACL's semantics.) Good luck with this. I do not believe there is a correct solution in general, so all you can hope for is a simple translation that captures enough semantics for your application. rick > Source directory on UFS: > Code: > > > getfacl /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ > # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ > # owner: 10051 > # group: 513 > user::rwx > user:10015:r-x > user:10049:r-x > user:10072:rwx > group::--- > group:544:rwx > group:10008:rwx > group:10131:r-x > mask::rwx > other::--- > > > getfacl -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ > # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ > # owner: 10051 > # group: 513 > user::rwx > user:10015:r-x > user:10049:r-x > user:10072:rwx > group::--- > group:544:rwx > group:10008:rwx > group:10131:r-x > mask::rwx > other::--- > > Target directory on ZFS: > Code: > > # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ > # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ > # owner: 10051 > # group: 513 > owner@:--------------:fd----:deny > owner@:rwxpD-aA--cC-s:fd----:allow > user:10015:-w-p---A---C--:fd----:deny > user:10015:r-x---a---c--s:fd----:allow > user:10049:-w-p---A---C--:fd----:deny > user:10049:r-x---a---c--s:fd----:allow > user:10072:-------A---C--:fd----:deny > user:10072:rwxpD-a---c--s:fd----:allow > group@:------a---c--s:fd----:allow > group:10008:rwxpD-a---c--s:fd----:allow > group:544:rwxpD-a---c--s:fd----:allow > group:10131:r-x---a---c--s:fd----:allow > group@:rwxp---A---C--:fd----:deny > group:10008:-------A---C--:fd----:deny > group:544:-------A---C--:fd----:deny > group:10131:-w-p---A---C--:fd----:deny > everyone@:rwxp---A---C--:fd----:deny > everyone@:------a---c--s:fd----:allow > > I was happy, but Windows made me sad. When I tried to look at > permissions of a file or a directory with a Windows file browser I > had > warning about ordering of permissions. Then I tried to edit > permissions > and allowed reordering and got this result of that: > > Code: > > getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ > # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ > # owner: 10051 > # group: 513 > user:10015:-w-pD--A---C--:fd----:deny > user:10049:-w-pD--A---C--:fd----:deny > user:10072:-------A---C--:fd----:deny > group@:rwxpD--A---C--:fd----:deny > group:10008:-------A---C--:fd----:deny > group:544:-------A---C--:fd----:deny > group:10131:-w-pD--A---C--:fd----:deny > everyone@:rwxpD--A---C--:fd----:deny <<<<<<<<< > owner@:rwxpD-aA--cC--:fd----:allow > user:10015:r-x---a---c---:fd----:allow > user:10049:r-x---a---c---:fd----:allow > user:10072:rwxpD-a---c---:fd----:allow > group@:------a---c---:fd----:allow > group:10008:rwxpD-a---c---:fd----:allow > group:544:rwxpD-a---c---:fd----:allow > group:10131:r-x---a---c---:fd----:allow > everyone@:------a---c---:fd----:allow > > But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). > It's a mess. As it turned out according to > http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx > <http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298%28v=vs.85%29.aspx>; > it's a rule of ordering of Windows permissions. > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?317463358.40289383.1381537328684.JavaMail.root>