zfs discuss - Oct 2006 - chmod A=.... on ZFS != chmod A=... on UFS

I''m trying to create a directory hierarchy that when ever a file is
created it is created mode 664 with directories 775.

Now I can do this with chmod to create the ACL on UFS and it behaves as expected
howerver on  ZFS it does not.

: pearson TS 68 $; mkdir ~/tmp/acl
: pearson TS 69 $; df -h  ~/tmp/acl
Filesystem             size   used  avail capacity  Mounted on
tank/users/cjg         100G    22G    75G    23%    /tank/users/cjg
: pearson TS 70 $; mkdir /var/tmp/acl
: pearson TS 71 $; df -h  /var/tmp/acl
Filesystem             size   used  avail capacity  Mounted on
/dev/md/dsk/d4         9.6G   4.7G   4.8G    50%    /
: pearson TS 72 $; chmod
A=user::rwx,group::rwx,other:r-x,default:user::rwx,default:group::rwx,default:other:r-x,default:mask:rwx
/var/tmp/acl /home/cjg/tmp/acl
: pearson TS 73 $;

So at this point should both have funtionally identical ACLs?  

If I now create a file in each directory I end up with different results:

: pearson TS 73 $; touch  /var/tmp/acl/file ~/tmp/acl/file
: pearson TS 74 $; ls -l  /var/tmp/acl/file ~/tmp/acl/file
-rw-r-----+  1 cjg      staff          0 Oct 24 17:25 /home/cjg/tmp/acl/file
-rw-rw-r--   1 cjg      staff          0 Oct 24 17:25 /var/tmp/acl/file
: pearson TS 75 $; 
: pearson TS 75 $; ls -lV ~/tmp/acl/file
-rw-r-----+  1 cjg      staff          0 Oct 24 17:25 /home/cjg/tmp/acl/file
            owner@:-----DaA--c--s:------:allow
            owner@:--------------:------:deny
            group@:-------A---C--:------:deny
            group@:-----Da---c--s:------:allow
            group@:-------A---C--:------:deny
         everyone@:------a---c--s:------:allow
         everyone@:-----D-A---C--:------:deny
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:rwxp---A-W-Co-:------:deny
         everyone@:------a-R-c--s:------:allow
: pearson TS 76 $; 

So in the ZFS case I don''t have what I wanted or expected.

Can you achieve the same results with the new ACLs?
 
 
This message posted from opensolaris.org

Chris Gerhard wrote:
> I''m trying to create a directory hierarchy that when ever a file
is created it is created mode 664 with directories 775.
> 
> Now I can do this with chmod to create the ACL on UFS and it behaves as
expected howerver on  ZFS it does not.
> 
So what exactly are you trying to accomplish by doing this?

ZFS always honors the umask and mode during file/dir creates.  UFS 
ignores the umask when default ACLs are present.  This is actually a 
POSIX violation in UFS.

If your desire is to allow certain users/groups to access/write to 
various files in the directory tree then you can use the various 
inheritance flags, such as "file_inherit, dir_inherit, inherit_only and 
no_propagate"  to control how the permissions flow down the tree.
> : pearson TS 68 $; mkdir ~/tmp/acl
> : pearson TS 69 $; df -h  ~/tmp/acl
> Filesystem             size   used  avail capacity  Mounted on
> tank/users/cjg         100G    22G    75G    23%    /tank/users/cjg
> : pearson TS 70 $; mkdir /var/tmp/acl
> : pearson TS 71 $; df -h  /var/tmp/acl
> Filesystem             size   used  avail capacity  Mounted on
> /dev/md/dsk/d4         9.6G   4.7G   4.8G    50%    /
> : pearson TS 72 $; chmod
A=user::rwx,group::rwx,other:r-x,default:user::rwx,default:group::rwx,default:other:r-x,default:mask:rwx
/var/tmp/acl /home/cjg/tmp/acl
> : pearson TS 73 $;
> 
Why are you trying to set a POSIX draft ACL on ZFS?  What you end up 
with is an ACL that was translated from POSIX Draft -> ZFS/NFSv4.

> So at this point should both have funtionally identical ACLs?  
> 
> If I now create a file in each directory I end up with different results:
> 
> : pearson TS 73 $; touch  /var/tmp/acl/file ~/tmp/acl/file
> : pearson TS 74 $; ls -l  /var/tmp/acl/file ~/tmp/acl/file
> -rw-r-----+  1 cjg      staff          0 Oct 24 17:25
/home/cjg/tmp/acl/file
> -rw-rw-r--   1 cjg      staff          0 Oct 24 17:25 /var/tmp/acl/file
> : pearson TS 75 $; 
> : pearson TS 75 $; ls -lV ~/tmp/acl/file
> -rw-r-----+  1 cjg      staff          0 Oct 24 17:25
/home/cjg/tmp/acl/file
>             owner@:-----DaA--c--s:------:allow
>             owner@:--------------:------:deny
>             group@:-------A---C--:------:deny
>             group@:-----Da---c--s:------:allow
>             group@:-------A---C--:------:deny
>          everyone@:------a---c--s:------:allow
>          everyone@:-----D-A---C--:------:deny
>             owner@:--x-----------:------:deny
>             owner@:rw-p---A-W-Co-:------:allow
>             group@:-wxp----------:------:deny
>             group@:r-------------:------:allow
>          everyone@:rwxp---A-W-Co-:------:deny
>          everyone@:------a-R-c--s:------:allow
> : pearson TS 76 $; 
> 
> So in the ZFS case I don''t have what I wanted or expected.
> 
> Can you achieve the same results with the new ACLs?
>  
>  
> This message posted from opensolaris.org
> _______________________________________________
> zfs-discuss mailing list
> zfs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Mark Shellenbaum wrote:
> Chris Gerhard wrote:
>> I''m trying to create a directory hierarchy that when ever a
file is
>> created it is created mode 664 with directories 775.
>>
>> Now I can do this with chmod to create the ACL on UFS and it behaves 
>> as expected howerver on  ZFS it does not.
>>
> 
> So what exactly are you trying to accomplish by doing this?
I want a file system that is shared by the group. Everything in the file
system writable by the group no matter what the umask.
> 
> ZFS always honors the umask and mode during file/dir creates.  UFS 
> ignores the umask when default ACLs are present.  This is actually a 
> POSIX violation in UFS.
Does this apply to mkdir as well?  It does not seem to:

rwxrws---+  3 cg13442  users          4 Oct 24 21:09 .
              owner@:-------A-W-Co-:------:allow
              group@:rwxp--a---c---:-di---:allow
              group@:------a---c---:------:allow
              owner@:--------------:------:deny
              owner@:rwxp---A-W-Co-:------:allow
              group@:--------------:------:deny
              group@:rwxp----------:------:allow
           everyone@:rwxp---A-W-Co-:------:deny
           everyone@:------a-R-c--s:------:allow
: principia IA 39 $; umask
026
: principia IA 40 $; mkdir spam
: principia IA 41 $; ls -lVd spam
drwxrws--x+  2 cg13442  users          2 Oct 24 21:12 spam
              group@:rwxp--a---c---:-di---:allow
              group@:------a---c---:------:allow
              owner@:--------------:------:deny
              owner@:rwxp---A-W-Co-:------:allow
              group@:-w-p----------:------:deny
              group@:r-x-----------:------:allow
           everyone@:rw-p---A-W-Co-:------:deny
           everyone@:--x---a-R-c--s:------:allow
: principia IA 42 $;

> 
> If your desire is to allow certain users/groups to access/write to 
> various files in the directory tree then you can use the various 
> inheritance flags, such as "file_inherit, dir_inherit, inherit_only
and
> no_propagate"  to control how the permissions flow down the tree.
It is however with the umask taking effect it prevents this, at least
for files.

> 
>> : pearson TS 68 $; mkdir ~/tmp/acl
>> : pearson TS 69 $; df -h  ~/tmp/acl
>> Filesystem             size   used  avail capacity  Mounted on
>> tank/users/cjg         100G    22G    75G    23%    /tank/users/cjg
>> : pearson TS 70 $; mkdir /var/tmp/acl
>> : pearson TS 71 $; df -h  /var/tmp/acl
>> Filesystem             size   used  avail capacity  Mounted on
>> /dev/md/dsk/d4         9.6G   4.7G   4.8G    50%    /
>> : pearson TS 72 $; chmod 
>>
A=user::rwx,group::rwx,other:r-x,default:user::rwx,default:group::rwx,default:other:r-x,default:mask:rwx
>> /var/tmp/acl /home/cjg/tmp/acl
>> : pearson TS 73 $;
>>
> 
> Why are you trying to set a POSIX draft ACL on ZFS?  What you end up 
> with is an ACL that was translated from POSIX Draft -> ZFS/NFSv4.
Because I know how to create the ACL with the old style ACLs and so was
letting the system do the conversion for me.


-- 
Chris Gerhard.                               __o __o __o
Principal Engineer                          _`\<,`\<,`\<,_
Sun Microsystems Limited                   (*)/---/---/ (*)
Phone: +44 (0) 1252 426033 (ext 26033) http://blogs.sun.com/chrisg
-----------------------------------------------------------
NOTICE: This email message is for the sole use of the
intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited.
If you are not the intended recipient, please contact
the sender by reply email and destroy all copies of the
original message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20061024/1a8adc6a/attachment.bin>

Chris Gerhard wrote:
> Mark Shellenbaum wrote:
>> Chris Gerhard wrote:
>>> I''m trying to create a directory hierarchy that when ever
a file is
>>> created it is created mode 664 with directories 775.
>>>
>>> Now I can do this with chmod to create the ACL on UFS and it
behaves
>>> as expected howerver on  ZFS it does not.
>>>
>>
>> So what exactly are you trying to accomplish by doing this?
> 
> I want a file system that is shared by the group. Everything in the file
> system writable by the group no matter what the umask.
> 
The simplest way to do something like that would be:

# zfs create pool/fs
# chmod A+group:<whatever>:<perms desired>:fd:allow pool/fs

Now every file/dir that is created under pool/fs will have an ACE 
prepended for the specific group.  To get more power out of this you may 
want to toggle the aclmode property to "passthrough" to prevent future
chmod''s from disabling various permissions.

   -Mark

On 10/24/06, Mark Shellenbaum <Mark.Shellenbaum at sun.com>
wrote:
>
> Chris Gerhard wrote:
> >
> > I want a file system that is shared by the group. Everything in the
file
> > system writable by the group no matter what the umask.
> >
>
> The simplest way to do something like that would be:
>
> # zfs create pool/fs
> # chmod A+group:<whatever>:<perms desired>:fd:allow pool/fs
>
OK, so I tried this:

Create a directory.

% mkdir -m 770 a

Make everything be group writeable.

% chmod A+group@:rwxp:fd:allow a

Create a file.

% touch a/f

What permissions does it have?

% /bin/ls -ldV a/f
-rw-r--r--+  1 ptribble 5000           0 Oct 27 22:49 a/f
            group@:--------------:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow

No. That doesn''t work. For one thing, the file isn''t group
writable.
For another, it''s picked up an unnecessary ACL.

What is the syntax to create an ACL on a directory so that
everything underneath is group-writable?

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20061027/aa842395/attachment.html>

Peter Tribble wrote:
> On 10/24/06, *Mark Shellenbaum* <Mark.Shellenbaum at sun.com 
> <mailto:Mark.Shellenbaum at sun.com>> wrote:
> 
>     Chris Gerhard wrote:
>      >
>      > I want a file system that is shared by the group. Everything in
>     the file
>      > system writable by the group no matter what the umask.
>      >
> 
>     The simplest way to do something like that would be:
> 
>     # zfs create pool/fs
>     # chmod A+group:<whatever>:<perms desired>:fd:allow pool/fs
> 
> 
> OK, so I tried this:
> 
> Create a directory.
> 
> % mkdir -m 770 a
> 
> Make everything be group writeable.
> 
> % chmod A+group@:rwxp:fd:allow a
> 
You can''t use the abstractions owner@,group@, or everyone@ you need to 
specify an explicit group, such as.

$ chmod A+group:staff:rwx:fd:allow a
> Create a file.
> 
> % touch a/f
> 
> What permissions does it have?
> 
> % /bin/ls -ldV a/f
> -rw-r--r--+  1 ptribble 5000           0 Oct 27 22:49 a/f
>             group@:--------------:------:allow
>             owner@:--x-----------:------:deny
>             owner@:rw-p---A-W-Co-:------:allow
>             group@:-wxp----------:------:deny
>             group@:r-------------:------:allow
>          everyone@:-wxp---A-W-Co-:------:deny
>          everyone@:r-----a-R-c--s:------:allow
> 
> No. That doesn''t work. For one thing, the file isn''t
group writable.
> For another, it''s picked up an unnecessary ACL.
> 
> What is the syntax to create an ACL on a directory so that
> everything underneath is group-writable?
> 
> -- 
> -Peter Tribble
> http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ 
> <http://ptribble.blogspot.com/>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> zfs-discuss mailing list
> zfs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

On 10/27/06, Mark Shellenbaum <Mark.Shellenbaum at sun.com>
wrote:
>
> Peter Tribble wrote:
>
> > Make everything be group writeable.
> >
> > % chmod A+group@:rwxp:fd:allow a
> >
>
> You can''t use the abstractions owner@,group@, or everyone@ you
need to
> specify an explicit group, such as.
>
> $ chmod A+group:staff:rwx:fd:allow a
>
Ugh. That''s a horrid limitation. What are the chances of this being
changed?

And how does this work with the ''other'' permissions? I
can''t
specify an explicit name with ''everyone:''.

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20061027/f955bc75/attachment.html>

Peter Tribble wrote:
> 
> 
> On 10/27/06, *Mark Shellenbaum* <Mark.Shellenbaum at sun.com 
> <mailto:Mark.Shellenbaum at sun.com>> wrote:
> 
>     Peter Tribble wrote:
> 
>      > Make everything be group writeable.
>      >
>      > % chmod A+group@:rwxp:fd:allow a
>      >
> 
>     You can''t use the abstractions owner@,group@, or everyone@ you
need to
>     specify an explicit group, such as.
> 
>     $ chmod A+group:staff:rwx:fd:allow a
> 
> 
> Ugh. That''s a horrid limitation. What are the chances of this
being
> changed?
> 
Its tied in with the reconciliation of the mode.

You need to just start thinking about things in a non-ufs way.
> And how does this work with the ''other'' permissions? I
can''t
> specify an explicit name with ''everyone:''.
> 
No, but you can specify a specific user.

chmod A+user:joe:rwxp:fd:allow a