Solved ACL help please

mefizto

Well-Known Member

Thanks: 6
Messages: 387

#1
Greetings all,

I have a data-set, to which I would like to deny user Bob any access. Unfortunately, Bob is a member of group Others that has read access. So I started reading about ACLs and had a false impression that I understand it, until I found this article: https://www.skytale.net/blog/archives/26-Creating-a-write-only-directory-with-SAMBA-and-ZFS.html, with the following command result:
Code:
# ls -lVd /tank/share/incoming
drwxrwxrwx+  5 root     root           6 Dec 12 16:49 /tank/share/incoming
               user:sun:-w--dD--------:fdi----:allow
               user:sun:-w--dD--------:-------:allow
              everyone@:-w--dD--------:f-i----:deny
              everyone@:----dD--------:-di----:deny
              everyone@:----dD--------:-------:deny
              everyone@:rwxp--a-R-c--s:-di----:allow
              everyone@:r-xp--a-R-c--s:f-i----:allow
              everyone@:rwxp--a-R-c--s:-------:allow
Looking at line 4, everyone@ is denied w and i, but then in line 6 everyone is allowed w and d. The text explains that "The third block consists of the last three lines and restores some rights to non privileged users", but my understanding is that restrictive permissions take precedence over lenient permission; therefore, the text does not make sense to me. Is my understanding wrong?

Also, I am confused by the plurality lines for everyone.

Is there a more detailed reference that I missed and that you can point me to?

Kindest regards,

M
 

trasz@

Active Member
Developer

Thanks: 65
Messages: 218

#2
With NFSv4 ACLs - which means ACLs on ZFS - the ACL entries are evaluated in order, so when you match a deny@ entry before you match an allow@ - you’re denied access.
 
Top