I have OSol 2009.06 (b111a), and I''m not sure I''m getting this
ZFS ACL
thing:
%whoami
abalfour
% ls -V file
----------+ 1 abalfour root 1474560 May 11 18:43 file
owner@:-w--d--A-W-C--:-------:deny
according to that ACL I shouldn''t be able to write anything having to
do
with file, correct?
% cat >> file
zsh: permission denied: file
% mv file foo
mv: cannot rename file to foo: Permission denied
% rm file
rm: file: override protection 0 (yes/no)? y
rm: file not removed: Permission denied
So far, so good.
But then I can do this:
% chmod A=owner@:full_set:allow file
% ls -V file
-rwx------+ 1 abalfour root 1474560 May 11 18:43 file
owner@:rwxpdDaARWcCos:-------:allow
% rm file
%
I''ve tried this with all the aclmode values on the filesystem, and
it''s
always the same behavior.
Am I missing something? Does the owner always have the ability to change the
ACL to whatever they want?
Thanks,
Drew
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20090520/f55fdcfe/attachment.html>
Drew Balfour wrote:> I have OSol 2009.06 (b111a), and I''m not sure I''m getting this ZFS ACL > thing: > > %whoami > abalfour > % ls -V file > ----------+ 1 abalfour root 1474560 May 11 18:43 file > owner@:-w--d--A-W-C--:-------:deny > > according to that ACL I shouldn''t be able to write anything having to do > with file, correct? > > % cat >> file > zsh: permission denied: file > % mv file foo > mv: cannot rename file to foo: Permission denied > % rm file > rm: file: override protection 0 (yes/no)? y > rm: file not removed: Permission denied > > So far, so good. > > But then I can do this: > > % chmod A=owner@:full_set:allow file > % ls -V file > -rwx------+ 1 abalfour root 1474560 May 11 18:43 file > owner@:rwxpdDaARWcCos:-------:allow > % rm file > % > > I''ve tried this with all the aclmode values on the filesystem, and it''s > always the same behavior. >aclmode has no bearing on that. that only comes into play during file creation or during a chmod operation.> Am I missing something? Does the owner always have the ability to change > the ACL to whatever they want? >Nope, the owner always has the ability to fix broken permissions on files. Otherwise the owner would be locked out of their own files. Here is a similar example on UFS, but without an ACL. $ touch file $ chmod 000 file $ echo this >file /bin/ksh93: file: cannot create [Permission denied] $ chmod 644 file
On May 21, 2009 11:08am, Mark Shellenbaum <Mark.Shellenbaum at sun.com> wrote:> Nope, the owner always has the ability to fix broken permissions on > files. Otherwise the owner would be locked out of their own files.Nuts; That''s what I was trying to do; lock owners into read/write without being able to delete. Thanks for the info. -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20090521/9da03e44/attachment.html>
abalfour at gmail.com wrote:> On May 21, 2009 11:08am, Mark Shellenbaum <Mark.Shellenbaum at sun.com> wrote: > > > Nope, the owner always has the ability to fix broken permissions on > files. Otherwise the owner would be locked out of their own files. > > Nuts; That''s what I was trying to do; lock owners into read/write > without being able to delete. >If you want to prevent deletion then you can always use the nounlink attribute. # chmod S+cu <file>> Thanks for the info. > > -Drew