Gavin Maltby
2007-Apr-24 08:37 UTC
[zfs-discuss] zfs submounts and permissions with autofs
Hi,
Is it expected that if I have filesystem tank/foo and tank/foo/bar
(mounted under /tank) then in order to be able to browse via
/net down into tank/foo/bar I need to have group/other permissions
on /tank/foo open?
# zfs create tank/foo
# zfs create tank/foo/bar
# chown gavinm /tank/foo /tank/foo/bar
# zfs set sharenfs=rw tank/foo
# ls -laR /tank/foo
/tank/foo:
total 9
drwxr-xr-x 3 gavinm sys 3 Apr 24 00:24 .
drwxr-xr-x 9 root sys 9 Apr 24 00:23 ..
drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 bar
/tank/foo/bar:
total 6
drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 .
drwxr-xr-x 3 gavinm sys 3 Apr 24 00:24 ..
Note that the perms on /tank/foo are 755 at this point. Now
browse via /net down to the ''bar'' level from some nfs client:
(gavinm at gift:~ )-> cd /net/TB3.UK.SUN.COM
(gavinm at gift:/net/TB3.UK.SUN.COM )-> cd tank/foo
(gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo )-> df -h .
Filesystem size used avail capacity Mounted on
TB3.UK.SUN.COM:/tank/foo
401G 25K 401G 1%
/net/TB3.UK.SUN.COM/tank/foo
(gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo )-> cd bar
(gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo/bar )-> df -h .
Filesystem size used avail capacity Mounted on
TB3.UK.SUN.COM:/tank/foo/bar
401G 24K 401G 1%
/net/TB3.UK.SUN.COM/tank/foo/bar
So I am, as expected, in the tank/foo/bar filesystem.
But now change permissions on /tank/foo so that only I can access it:
# chmod 700 /tank/foo
# ls -laR /tank/foo
/tank/foo:
total 9
drwx------ 3 gavinm sys 3 Apr 24 00:24 .
drwxr-xr-x 9 root sys 9 Apr 24 00:23 ..
drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 bar
/tank/foo/bar:
total 6
drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 .
drwx------ 3 gavinm sys 3 Apr 24 00:24 ..
And now I cannot browse into filesystem tank/foo/bar, only into
the mountpoint directory (different capitalisation below to
trigger new automounts under /net):
(gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo/bar )-> cd /net/TB3.uk.SUN.COM
(gavinm at gift:/net/TB3.uk.SUN.COM )-> cd tank/foo
(gavinm at gift:/net/TB3.uk.SUN.COM/tank/foo/bar )-> df -h .
Filesystem size used avail capacity Mounted on
TB3.uk.SUN.COM:/tank/foo
401G 25K 401G 1%
/net/TB3.uk.SUN.COM/tank/foo
Thanks
Gavin
Mark Shellenbaum
2007-Apr-24 14:30 UTC
[zfs-discuss] zfs submounts and permissions with autofs
Gavin Maltby wrote:> Hi, > > Is it expected that if I have filesystem tank/foo and tank/foo/bar > (mounted under /tank) then in order to be able to browse via > /net down into tank/foo/bar I need to have group/other permissions > on /tank/foo open? >You are running into bug: 4697677 permissions of underlying directory affect permissions of mount point> # zfs create tank/foo > # zfs create tank/foo/bar > # chown gavinm /tank/foo /tank/foo/bar > # zfs set sharenfs=rw tank/foo > > # ls -laR /tank/foo > /tank/foo: > total 9 > drwxr-xr-x 3 gavinm sys 3 Apr 24 00:24 . > drwxr-xr-x 9 root sys 9 Apr 24 00:23 .. > drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 bar > > /tank/foo/bar: > total 6 > drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 . > drwxr-xr-x 3 gavinm sys 3 Apr 24 00:24 .. > > Note that the perms on /tank/foo are 755 at this point. Now > browse via /net down to the ''bar'' level from some nfs client: > > (gavinm at gift:~ )-> cd /net/TB3.UK.SUN.COM > (gavinm at gift:/net/TB3.UK.SUN.COM )-> cd tank/foo > (gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo )-> df -h . > Filesystem size used avail capacity Mounted on > TB3.UK.SUN.COM:/tank/foo > 401G 25K 401G 1% > /net/TB3.UK.SUN.COM/tank/foo > (gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo )-> cd bar > > (gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo/bar )-> df -h . > Filesystem size used avail capacity Mounted on > TB3.UK.SUN.COM:/tank/foo/bar > 401G 24K 401G 1% > /net/TB3.UK.SUN.COM/tank/foo/bar > > So I am, as expected, in the tank/foo/bar filesystem. > > But now change permissions on /tank/foo so that only I can access it: > > # chmod 700 /tank/foo > > # ls -laR /tank/foo > /tank/foo: > total 9 > drwx------ 3 gavinm sys 3 Apr 24 00:24 . > drwxr-xr-x 9 root sys 9 Apr 24 00:23 .. > drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 bar > > /tank/foo/bar: > total 6 > drwxr-xr-x 2 gavinm sys 2 Apr 24 00:24 . > drwx------ 3 gavinm sys 3 Apr 24 00:24 .. > > And now I cannot browse into filesystem tank/foo/bar, only into > the mountpoint directory (different capitalisation below to > trigger new automounts under /net): > > (gavinm at gift:/net/TB3.UK.SUN.COM/tank/foo/bar )-> cd /net/TB3.uk.SUN.COM > (gavinm at gift:/net/TB3.uk.SUN.COM )-> cd tank/foo > (gavinm at gift:/net/TB3.uk.SUN.COM/tank/foo/bar )-> df -h . > Filesystem size used avail capacity Mounted on > TB3.uk.SUN.COM:/tank/foo > 401G 25K 401G 1% > /net/TB3.uk.SUN.COM/tank/foo > > Thanks > > Gavin > _______________________________________________ > zfs-discuss mailing list > zfs-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
On 4/24/07, Mark Shellenbaum <Mark.Shellenbaum at sun.com> wrote:> > Is it expected that if I have filesystem tank/foo and tank/foo/bar > > (mounted under /tank) then in order to be able to browse via > > /net down into tank/foo/bar I need to have group/other permissions > > on /tank/foo open? > > > > You are running into bug: > 4697677 permissions of underlying directory affect permissions of mount > pointAnd this is particularly annoying in ZFS when it creates a previously non-existent mountpoint when you have a umask of 077. I played with the codes and inserted umask(0); at http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libzfs/common/libzfs_mount.c#248 It is a hack but it doesn''t seem to affect anything else. -- Just me, Wire ... Blog: <prstat.blogspot.com>