NFSv4 ACLs - deny owner write ACL permission

owner@ is always allowed to write ACLs as a foot-shooting protection mechanism. Sometimes I really want to shoot my foot.

In samba with "zfsacl" enabled and "nfs4:mode = simple", owner@ roughly corresponds with "creator-owner". There are times when I'm wearing my windows/samba admin hat that I want to limit the ability of non-admin users (including "creator-owner") to modify permissions in a share. At present, I don't believe there's a way to do this in FreeBSD, even using the command setfacl -m owner@:C:fd:deny /path/to/share

Does anyone have a workaround for this?
 
Did you ever figure out how to solve this? I am also interested in how to prevent owner@ from being able to modify ACLs. I see that this fix exists for ZFS on Solaris-based systems, however the .zfs/shares directory does not seem to exist on OpenZFS. How else can owner@ be prevented from being able to modify ACLs?
 

I am aware of this, but on Solaris ZFS, you can follow these instructions to change the ACL set for everyone@ to modify_set, which prevents owners from modifying the ACLs on files they own:
Code:
/usr/bin/chmod A=\
user:root:full_set:-------:allow,\
everyone@:modify_set:-------:allow \
/zroot/datasets/example/.zfs/shares/example

However, OpenZFS does not appear to have the .zfs/shares directory so I cannot apply this same solution on OpenZFS-based systems.


Simplest solution, change the ownership of the files. If the user doesn't own the file he/she can't change the ACL.

Right, but how do I allow users to create files over NFSv4 but prevent them from owning the files they create?
 
Back
Top