Question about ACL under ZFS

B

BarbeRousse

Hello,

First my configuration.

I am using ZFS with one raidz pool:
Code: 
root# zpool list
NAME       SIZE   USED  AVAIL    CAP  HEALTH  ALTROOT
homeData  7.25T  2.74T  4.51T    37%  ONLINE  -
and four zfs filesystem:
Code: 
root# zfs list
NAME                         USED  AVAIL  REFER  MOUNTPOINT
homeData                    2.06T  3.28T  2.02T  /homeData
homeData/A                  34.6G  3.28T  34.6G  /mountA
homeData/B                   758M  3.29T   758M  /mountB
homeData/testACL2           44.1K  3.28T  44.1K  /homeData/testACL2

We will focus on "/homeData" and "/homeData/testACL2".
ZFS property for ACL is set as show bellow:
Code: 
NAME               PROPERTY    VALUE              SOURCE
homeData           aclinherit  discard            local
homeData           aclmode     discard            local
homeData/testACL2  aclinherit  passthrough        local
homeData/testACL2  aclmode     passthrough        local

Here ACL for "homeData" (default):
Code: 
# file: /homeData/
# owner: root
# group: wheel
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

and here for "testACL2" (custom):
Code: 
# file: /homeData/testACL2/
# owner: root
# group: wheel
            owner@:--------------:fd----:deny
            owner@:rwxp---A-W-Co-:fd----:allow
            group@:--------------:fd----:deny
            group@:rwxp----------:fd----:allow
         everyone@:rwxpDdaARWcCos:fd----:deny

Ok, now the question.
If I create a directory under the "/homeData/testACL2" like this:
Code: 
root# mkdir /homeData/testACL2/dir1
ACL's are as expected:
Code: 
# file: /homeData/testACL2/dir1/
# owner: root
# group: wheel
            owner@:--------------:fdi---:deny
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:fdi---:allow
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:fdi---:deny
            group@:--------------:------:deny
            group@:rwxp----------:fdi---:allow
            group@:rwxp----------:------:allow
         everyone@:rwxpDdaARWcCos:fdi---:deny
         everyone@:rwxpDdaARWcCos:------:deny

That's great.
I have created an other directory in an UFS system without "acl" property and then moved it under the ZFS "testACL2" file system.
Code: 
root# mkdir /tmp/dir2
root# mv /tmp/dir2 /homeData/testACL2/

The problem is here, ACL's aren't as expected to be:
Code: 
# file: /homeData/testACL2/dir3
# owner: root
# group: wheel
            [color="SeaGreen"]owner@:--------------:fdi---:deny
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:fdi---:allow[/color]
            [color="Blue"]owner@:-------A-W-Co-:------:allow[/color]
            [color="SeaGreen"]group@:--------------:fdi---:deny
            group@:--------------:------:deny
            group@:rwxp----------:fdi---:allow[/color]
            [color="Blue"]group@:--------------:------:allow[/color]
         [color="SeaGreen"]everyone@:rwxpDdaARWcCos:fdi---:deny[/color]
         [color="Blue"]everyone@:----DdaARWcCos:------:deny[/color]
            [color="Red"]owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow[/color]

It seems to be a mixt of homeData, testACL2 and ohter.

It seems that the three ACL in blue are the same as the one just upper (in green) but without the four first bit (rwxp).

Is this normal ? How to avoid that behavior ?
Each file or directory moved from one place to an other one will get "wrong" ACL.
I will have to modify each one by and.

Thank you.

Bests regards,
 
Hello phoenix,

I think this part of aclinherit is interesting :
Code: 
When the property value is set to "passthrough," files are created
with a mode determined by the inheritable ACEs. If  no  inheritable
ACEs exist that affect the mode, then the mode is set in accordance
to the requested mode from the application.

It don't change anything, I don't know why.
I must miss a trick.

All bit mode are specified for owner@, group@ and everyone@ in either allow and deny.

Here new ACL of parent directory :
Code: 
# file: /testACL2/
# owner: root
# group: wheel
            owner@:-------------s:------:deny
            owner@:rwxpDdaARWcCo-:------:allow
            owner@:-------------s:fd----:deny
            owner@:rwxpDdaARWcCo-:fd----:allow
            group@:-------------s:------:deny
            group@:rwxpDdaARWcCo-:------:allow
            group@:-------------s:fd----:deny
            group@:rwxpDdaARWcCo-:fd----:allow
         everyone@:-w-pDd-A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
         everyone@:-w-pDd-A-W-Co-:fd----:deny
         everyone@:r-x---a-R-c--s:fd----:allow

Now about dir1 :
Code: 
root# mkdir /testACL2/dir1
root# getfacl /testACL2/dir1
# file: /testACL2/dir1
# owner: root
# group: wheel
            owner@:-------------s:fdi---:deny
            owner@:-------------s:------:deny
            owner@:rwxpDdaARWcCo-:fdi---:allow
            owner@:rwxpDdaARWcCo-:------:allow
            group@:-------------s:fdi---:deny
            group@:-------------s:------:deny
            group@:rwxpDdaARWcCo-:fdi---:allow
            group@:rwxpDdaARWcCo-:------:allow
         everyone@:-w-pDd-A-W-Co-:fdi---:deny
         everyone@:-w-pDd-A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:fdi---:allow
         everyone@:r-x---a-R-c--s:------:allow

And for dir2 :
Code: 
root# mkdir /tmp/dir2
root# mv /tmp/dir2 /testACL2/
root# getfacl /testACL2/dir2
# file: /testACL2/dir2
# owner: root
# group: wheel
            owner@:-------------s:fdi---:deny
            owner@:-------------s:------:deny
            owner@:rwxpDdaARWcCo-:fdi---:allow
            owner@:----DdaARWcCo-:------:allow
            group@:-------------s:fdi---:deny
            group@:-------------s:------:deny
            group@:rwxpDdaARWcCo-:fdi---:allow
            group@:----DdaARWcCo-:------:allow
         everyone@:-w-pDd-A-W-Co-:fdi---:deny
         everyone@:----Dd-A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:fdi---:allow
         everyone@:------a-R-c--s:------:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

Are mkdir and mv application handled in different way by ZFS ACL ?
Please, give me en example which it works.

Thank you.
 
You must log in or register to reply here.
Back
Top