I have OSol 2009.06 (b111a), and I''m not sure I''m getting this ZFS ACL thing: %whoami abalfour % ls -V file ----------+ 1 abalfour root 1474560 May 11 18:43 file owner@:-w--d--A-W-C--:-------:deny according to that ACL I shouldn''t be able to write anything having to do with file, correct? % cat >> file zsh: permission denied: file % mv file foo mv: cannot rename file to foo: Permission denied % rm file rm: file: override protection 0 (yes/no)? y rm: file not removed: Permission denied So far, so good. But then I can do this: % chmod A=owner@:full_set:allow file % ls -V file -rwx------+ 1 abalfour root 1474560 May 11 18:43 file owner@:rwxpdDaARWcCos:-------:allow % rm file % I''ve tried this with all the aclmode values on the filesystem, and it''s always the same behavior. Am I missing something? Does the owner always have the ability to change the ACL to whatever they want? Thanks, Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20090520/f55fdcfe/attachment.html>
Drew Balfour wrote:> I have OSol 2009.06 (b111a), and I''m not sure I''m getting this ZFS ACL > thing: > > %whoami > abalfour > % ls -V file > ----------+ 1 abalfour root 1474560 May 11 18:43 file > owner@:-w--d--A-W-C--:-------:deny > > according to that ACL I shouldn''t be able to write anything having to do > with file, correct? > > % cat >> file > zsh: permission denied: file > % mv file foo > mv: cannot rename file to foo: Permission denied > % rm file > rm: file: override protection 0 (yes/no)? y > rm: file not removed: Permission denied > > So far, so good. > > But then I can do this: > > % chmod A=owner@:full_set:allow file > % ls -V file > -rwx------+ 1 abalfour root 1474560 May 11 18:43 file > owner@:rwxpdDaARWcCos:-------:allow > % rm file > % > > I''ve tried this with all the aclmode values on the filesystem, and it''s > always the same behavior. >aclmode has no bearing on that. that only comes into play during file creation or during a chmod operation.> Am I missing something? Does the owner always have the ability to change > the ACL to whatever they want? >Nope, the owner always has the ability to fix broken permissions on files. Otherwise the owner would be locked out of their own files. Here is a similar example on UFS, but without an ACL. $ touch file $ chmod 000 file $ echo this >file /bin/ksh93: file: cannot create [Permission denied] $ chmod 644 file
On May 21, 2009 11:08am, Mark Shellenbaum <Mark.Shellenbaum at sun.com> wrote:> Nope, the owner always has the ability to fix broken permissions on > files. Otherwise the owner would be locked out of their own files.Nuts; That''s what I was trying to do; lock owners into read/write without being able to delete. Thanks for the info. -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20090521/9da03e44/attachment.html>
abalfour at gmail.com wrote:> On May 21, 2009 11:08am, Mark Shellenbaum <Mark.Shellenbaum at sun.com> wrote: > > > Nope, the owner always has the ability to fix broken permissions on > files. Otherwise the owner would be locked out of their own files. > > Nuts; That''s what I was trying to do; lock owners into read/write > without being able to delete. >If you want to prevent deletion then you can always use the nounlink attribute. # chmod S+cu <file>> Thanks for the info. > > -Drew