ACL behavior

M

mannychang

Hi all,

I have question about NFSv4 ACL in ZFS. I set ACL permission for a file as
Code: 
# file: a
# owner: manny
# group: wheel
          user:manny:rw------------:------:allow
              group@:r-x---a-R-c--s:------:allow
           everyone@:r-x---a-R-c--s:------:allow

I set Manny only "rw" permission for the "a" file, not "delete" permission, but I still can delete it. Why? ????

Root to set ACL permission. Manny to login testing ACL permission.
 
Deleting a file under UNIX or UNIX like operating systems is an operation on the directory where the file is located. Look at the permissions/ACLs of the directory instead of the file.
 
Thanks for @kpa.

I tried it again and set ACL permissions for directory, but I found some things. Folder permission as follows and there are some files/folders in this folder.
  1. If the folder only has "r" permission, you can't enter the folder. It needs the "rx" permission
  2. If I set the "wx" permission for this folder, I can delete the file/folder.

Is this behavior right???
 
Last edited by a moderator:
I would also like to know the answer to this, I have been searching endlessly for stuff relating to this problem.

It seems that on a ZFS system, even with aclinherit and aclmode BOTH set to 'passthrough', and with the correct 'NFSv4' ACL data being shown by getfacl (eg "user:manny:rwxp----------:------:allow"), FreeBSD will only respect the Unix 9-bit mode for checking file permissions.

This is *completely broken* as far as having ACL's in use in your filesystem, because FreeBSD is basically circumventing whatever's in them (besides the rwx perms/bits).

In the NFSv4 ACL's used in ZFS, you can set these permissions bits in the ACL for owner@ (the owner of a file/directory at the time) or a specific user (e.g. user:manny); FreeBSD will at least interpret these entries, as far as taking notice that you've assigned perms to different entities.

For example, stripping all permissions for everyone@:

Code: 
everyone@:--------------:------:allow

but adding rwx just for user:manny

Code: 
user:manny:rwx-----------:------:allow

will give manny rwx permissions and everyone else outside of group/owner no permissions; user manny can make files and edit them in the directory with these ACE's included, but any other (non-owner, non-group) users won't have any permissions;

BUT - no other permissions in the ACL (like p/append, d/delete child, R/read xattribs, etc) will be respected.

I have yet to figure out how to get around this and have FreeBSD to respect the full ACL's permissions. If anyone could shed light on this I would eternally grateful, it's driving me insane so far.
 
You must log in or register to reply here.
Back
Top