I have posted this as part of the thread found at http://forums.freebsd.org/showthread.php?p=227701#post227701 also.
I am using a FreeBSD (9.0 - or possibly 9.1) system derived from the ZFSguru distribution. I have a ZFS (pool v15 fs v4) pool set up.
aclinherit and aclmode are both set to 'passthrough' on all the filesystems in the pool, and the pool root itself also. The correct 'NFSv4' ACL data is being shown by getfacl.
There's no indication that POSIX.1e ACL's are being used, and in fact trying to set 'default' ACL entries gets me an error message about these being redundant for NFSv4 - clearly, NFSv4 ACL's are in effect, and working.
BUT: FreeBSD will only respect the Unix 9-bit mode when checking file permissions.
This is *completely broken* as far as having ACL's in use in your filesystem, because FreeBSD is basically circumventing whatever's in them (besides the rwx permission bits). The whole point of ACL's is to be able to set permissions more finely grained than rwx, and to not have to rely on silly conventions (e.g. needing 'x' to read a directory, instead of just 'r').
In the NFSv4 ACL's used in ZFS, you can set these permissions bits in the ACL for owner@ (the owner of a file/directory at the time) or a specific user (e.g. user:somedude); FreeBSD will at least interpret these entries, as far as taking notice that you've assigned permissions to different entities.
For example, stripping all permissions for everyone@, but adding 'wx' for a specific user, as above, will give somedude wx permissions and everyone else outside of group/owner no permissions; user somedude can make files and edit them in the directory where these ACE's are included, while any other (non-owner, non-group) users won't have any permissions. somedude can also delete the files they create; but somedude can't list the directory contents of the directory they're in (because they lack the 'r' permission).
BUT - no other permissions in the ACL (like p/append, d/delete child, R/read xattribs, etc.) will be respected. They also won't be interpreted as meaning anything - having p/append without 'w' write won't let you append to files, it will just prevent you from writing anything; having p and w will let you write to any part of the file, not just append.
So, continuing with the previous example, if I set somedude's ACE on the current directory to something equivalent to the Unix 'wx', like this:
(write files, append data to a file, create sub-directories, delete child files/directories)
I can't do *anything* in this directory, because I no longer have the 'x' execute permission - which in an ACL should only grant the permission to execute files (scripts and binaries) -- but to Unix, is necessary to read directory contents (and apparently, do anything in a directory, even if you have write permission to it).
So what the hell, FreeBSD? Why can I use a ZFS filesystem, employ it's NFSv4 ACL's, set and read them correctly, but not have them respected? Are only clients on NFS (v4) going to respect these ACL's? Only people mounting my pool via Solaris 10/11?
Is this the fault of FreeBSD, or Bash, or ZFS, or some setting in rc.conf or the kernel, or what?
If anyone could shed light on this I would eternally grateful, it's driving me insane so far.
I am using a FreeBSD (9.0 - or possibly 9.1) system derived from the ZFSguru distribution. I have a ZFS (pool v15 fs v4) pool set up.
aclinherit and aclmode are both set to 'passthrough' on all the filesystems in the pool, and the pool root itself also. The correct 'NFSv4' ACL data is being shown by getfacl.
Code:
bx83@myhost: ~ $ getfacl ./
# file: ./
# owner: bx83
# group: bx83
user:somedude:-wx-----------:------:allow
owner@:rwxp--aARWcCos:------:allow
group@:r-x---a-R-c--s:------:allow
everyone@:------a-R-c--s:------:allow
There's no indication that POSIX.1e ACL's are being used, and in fact trying to set 'default' ACL entries gets me an error message about these being redundant for NFSv4 - clearly, NFSv4 ACL's are in effect, and working.
BUT: FreeBSD will only respect the Unix 9-bit mode when checking file permissions.
This is *completely broken* as far as having ACL's in use in your filesystem, because FreeBSD is basically circumventing whatever's in them (besides the rwx permission bits). The whole point of ACL's is to be able to set permissions more finely grained than rwx, and to not have to rely on silly conventions (e.g. needing 'x' to read a directory, instead of just 'r').
In the NFSv4 ACL's used in ZFS, you can set these permissions bits in the ACL for owner@ (the owner of a file/directory at the time) or a specific user (e.g. user:somedude); FreeBSD will at least interpret these entries, as far as taking notice that you've assigned permissions to different entities.
For example, stripping all permissions for everyone@, but adding 'wx' for a specific user, as above, will give somedude wx permissions and everyone else outside of group/owner no permissions; user somedude can make files and edit them in the directory where these ACE's are included, while any other (non-owner, non-group) users won't have any permissions. somedude can also delete the files they create; but somedude can't list the directory contents of the directory they're in (because they lack the 'r' permission).
BUT - no other permissions in the ACL (like p/append, d/delete child, R/read xattribs, etc.) will be respected. They also won't be interpreted as meaning anything - having p/append without 'w' write won't let you append to files, it will just prevent you from writing anything; having p and w will let you write to any part of the file, not just append.
So, continuing with the previous example, if I set somedude's ACE on the current directory to something equivalent to the Unix 'wx', like this:
Code:
user:somedude:-w-p-dD-------:------:allow
I can't do *anything* in this directory, because I no longer have the 'x' execute permission - which in an ACL should only grant the permission to execute files (scripts and binaries) -- but to Unix, is necessary to read directory contents (and apparently, do anything in a directory, even if you have write permission to it).
So what the hell, FreeBSD? Why can I use a ZFS filesystem, employ it's NFSv4 ACL's, set and read them correctly, but not have them respected? Are only clients on NFS (v4) going to respect these ACL's? Only people mounting my pool via Solaris 10/11?
Is this the fault of FreeBSD, or Bash, or ZFS, or some setting in rc.conf or the kernel, or what?
If anyone could shed light on this I would eternally grateful, it's driving me insane so far.