Solved ZFS equivalent of uchg flag?

This is on FreeBSD 9.0, where I am a very happy user of a largish (1TB) mirrored ZFS file system. I want to protect some files against accidental modification and deletion by users. On UFS/FFS file systems, that was easily done using the uchg or schg flags.

As we know, ZFS on FreeBSD doesn't support the UFS-style flags. So "chflags uchg /zfs/foo" won't work.

So I tried using ACLs. Posix ACLs only allow control of read, write and execute, so they can't be used to prevent deletion. So we go to NFSv4 style ACLs. I tried the following: "setfacl -m everyone@:wD:deny /zfs/foo". That helps somewhat: it prevents modification of the file (by writing over it). But it does not prevent the file from being deleted (or equivalently renamed away). For some reason, the "D" field in the ACL does not actually prevent deletion of the file. By the way, I also tried the D, W and C flags in the ACL; none of them prevent file deletion.

So, is there a convenient way to prevent files from being deleted? Or am I using the ACLs wrong?

Just for completeness, here is a set of non-options:
  • Normal access permissions (the rwx bits) don't prevent deletion (yes, I know they are actually stored as Posix ACLs in ZFS).
  • I'm only interested in "doorknob" protection. It's perfectly fine for the user to make a conscious choice that a file no longer needs to be protected. I'm looking for something that prevents accidents like "rm -Rf foo" or "ls > foo" when foo is "valuable".
  • Take snapshots, backups, and remote backups. I do all these already. If a file is accidentally modified or deleted, I can get it back. But that is a lot of work; I'm trying to prevent the accident in the first place.
  • Making the whole file system readonly, or changing permissions on the enclosing directory to prevent any modification to the directory: The user needs to be able to create and modify other files; just some valuable files ought to be "immutable" or "archived".
  • Change ownership of these files to someone else (if necessary to root). First, it requires becoming root (inconvenient). Plus it doesn't prevent deletion of files (a user can delete a file if he owns the directory the file is in, even if the file is owned by someone else).
 
Never did. Wasn't worth the effort to spend lots of hours decoding the ACL implementation in ZFS. Because I have good backups, so if a file really were deleted, I could in a few minutes copy it back from a backup.

What I do in the meantime is to simply change the permission of immutable files to 444 (r--r--r--). This is mostly for paperless document management: after I scan a whole pile of paper into dozens of PDF files, I chmod all of them to 444, so the files don't get changed by mistake (for example when running a PDF viewer over them, you could hit the delete key and remove one page otherwise). And I occasionally change whole directories to 555 (r-xr-xr-x), when it is clear that no new files will have to be added (and no files should ever be removed). For example, at the beginning of 2018, after I'm sure I have scanned all receipts from shopping in 2017, I do "mkdir /home/docs/Receipts/2018" and "chmod 555 /home/docs/Receipts/2017".

All of this could be automated with scripts; but for a normal household's amount of paperwork and files, it isn't worth the effort.
 
I only skimmed the first message but these days ZFS easily supports extended flags such as schg:

Code:
root@unicron:/boot/kernel # chflags schg kernel
root@unicron:/boot/kernel # rm kernel
override r-xr-xr-x  root/wheel schg,uarch for kernel? y
rm: kernel: Operation not permitted
So I'm tempted to say the original problem has been resolved in the mean time.
 
Very cool ... someone else solved a problem for me, without me having to lift a finger! This lazy person is delighted.

Unfortunately, this creates work for me. Now I need to design a system to set flags to make files unchangeable or undeletable, based on reasonable criteria. Not the next two weekends, I'm too busy. But this is really good news, which I missed somehow.
 
I was trying to do that inside a jail without success, and reply #4 by ShelLuser made me review once again jail(8) manual. The allow.chflags setting does exactly what I was looking for: now a privileged user change set flags even in a jail, run on top of ZFS.
 
Last edited by a moderator:
Back
Top