Here''s a little test. I add an allow ACL to a new directory that
should propogate to sub-folders and files. When I create a new file, the file
inherits the ACL, but also gets a deny ACL in front of the allowed ACL.
What''s going on here?
vault:/pool/home/wcerich/sample#ls -al
total 12
drwxr-xr-x 2 root root 2 Jan 7 13:07 .
drwx------ 5 wcerich sys 11 Jan 7 13:07 ..
vault:/pool/home/wcerich/sample#mkdir dir
vault:/pool/home/wcerich/sample#chmod A+group:sys:rwxpaD:df:allow dir
vault:/pool/home/wcerich/sample#ls -dV dir
drwxr-xr-x+ 2 root root 2 Jan 7 13:08 dir
group:sys:rwxp-Da-------:fd----:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
vault:/pool/home/wcerich/sample#touch dir/somefile
vault:/pool/home/wcerich/sample#ls -lV dir/somefile
-rw-r--r--+ 1 root root 0 Jan 7 13:09 dir/somefile
group:sys:-wxp----------:------:deny
group:sys:rwxp-Da-------:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
vault:/pool/home/wcerich/sample#
This message posted from opensolaris.org
Mark Shellenbaum
2007-Jan-07 20:41 UTC
[zfs-discuss] Can someone explain this acl behavior?
Eric Hill wrote:> Here''s a little test. I add an allow ACL to a new directory that should propogate to sub-folders and files. When I create a new file, the file inherits the ACL, but also gets a deny ACL in front of the allowed ACL. What''s going on here? >The deny is inserted to maintain POSIX semantics. This behavior can be changed via the "aclmode" property. The default property value of "groupmask" reduces the effective permissions of user/group entries to be no greater than the permissions of the owning group. If you set the aclmode mode property to passthrough, then the deny entries won''t be inserted. This is discussed in the zfs(1m). Look at the description for aclmode. There is a companion property aclinherit which controls inheritance behavior. -Mark> vault:/pool/home/wcerich/sample#ls -al > total 12 > drwxr-xr-x 2 root root 2 Jan 7 13:07 . > drwx------ 5 wcerich sys 11 Jan 7 13:07 .. > vault:/pool/home/wcerich/sample#mkdir dir > vault:/pool/home/wcerich/sample#chmod A+group:sys:rwxpaD:df:allow dir > vault:/pool/home/wcerich/sample#ls -dV dir > drwxr-xr-x+ 2 root root 2 Jan 7 13:08 dir > group:sys:rwxp-Da-------:fd----:allow > owner@:--------------:------:deny > owner@:rwxp---A-W-Co-:------:allow > group@:-w-p----------:------:deny > group@:r-x-----------:------:allow > everyone@:-w-p---A-W-Co-:------:deny > everyone@:r-x---a-R-c--s:------:allow > vault:/pool/home/wcerich/sample#touch dir/somefile > vault:/pool/home/wcerich/sample#ls -lV dir/somefile > -rw-r--r--+ 1 root root 0 Jan 7 13:09 dir/somefile > group:sys:-wxp----------:------:deny > group:sys:rwxp-Da-------:------:allow > owner@:--x-----------:------:deny > owner@:rw-p---A-W-Co-:------:allow > group@:-wxp----------:------:deny > group@:r-------------:------:allow > everyone@:-wxp---A-W-Co-:------:deny > everyone@:r-----a-R-c--s:------:allow > vault:/pool/home/wcerich/sample# > > > This message posted from opensolaris.org > _______________________________________________ > zfs-discuss mailing list > zfs-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss