zfs discuss - Feb 2009 - posix acl migration to zfs acl''s

Hello All,

I''m in the process of migrating a file server from Solaris 9, where
we''re making extensive use of POSIX-ACLs, to ZFS and I have a question
that I''m hoping someone can clear up for me. I''m using
ufsrestore to
restore the data to the ZFS file system so the ACLs are converted to
NFSv4 style ACLs and everything looks good. But when I inspect the
converted ZFS-ACLs it looks to me like there are additional and
redundant ACLs, specifically those converted from the POSIX-ACL mask value.

In the case I''m looking at the POSIX-ACL being converted on the
directory is as follows:

# file: test_dir1
# owner: root
# group: group_1
user::rwx
group::r-x              #effective:r-x
group:group_2:r-x                #effective:r-x
mask:rwx
other:---

Once the directory is restored to the ZFS file system the ACLs have been
converted to the following:

drwxr-x---+  2 root     group_1       2 Feb 20 15:00 test_dir1
            owner@:rwxp-DaA--cC-s:------:allow
            owner@:--------------:------:deny
            group@:-------A---C--:------:deny
            group@:r-x---a---c--s:------:allow
      group:group_2:-------A---C--:------:deny
      group:group_2:r-x---a---c--s:------:allow
            group@:-w-p-D-A---C--:------:deny
      group:group_2:-w-p-D-A---C--:------:deny
         everyone@:------a---c--s:------:allow
         everyone@:rwxp-D-A---C--:------:deny

The ACLs that I''m questioning the need for are:

	group@:-------A---C--:------:deny
	group:group_2:-------A---C--:------:deny

Wouldn''t these 2 ACLs be covered by the other group deny ACLs?

	group@:-------A---C--:------:deny
	group@:-w-p-D-A---C--:------:deny
	and
	group:group_2:-------A---C--:------:deny
	group:group_2:-w-p-D-A---C--:------:deny

It would seem to me that the converted POSIX-ACL mask are unnecessary.

Regards,

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com

On Fri, Feb 20, 2009 at 2:59 PM, Darin Perusich
<Darin.Perusich at cognigencorp.com> wrote:
> Hello All,
>
> I''m in the process of migrating a file server from Solaris 9,
where
> we''re making extensive use of POSIX-ACLs, to ZFS and I have a
question
> that I''m hoping someone can clear up for me. I''m using
ufsrestore to
> restore the data to the ZFS file system so the ACLs are converted to
> NFSv4 style ACLs and everything looks good. But when I inspect the
> converted ZFS-ACLs it looks to me like there are additional and
> redundant ACLs, specifically those converted from the POSIX-ACL mask value.
>
> In the case I''m looking at the POSIX-ACL being converted on the
> directory is as follows:
>
> # file: test_dir1
> # owner: root
> # group: group_1
> user::rwx
> group::r-x              #effective:r-x
> group:group_2:r-x                #effective:r-x
> mask:rwx
> other:---
>
> Once the directory is restored to the ZFS file system the ACLs have been
> converted to the following:
>
> drwxr-x---+  2 root     group_1       2 Feb 20 15:00 test_dir1
>            owner@:rwxp-DaA--cC-s:------:allow
>            owner@:--------------:------:deny
>            group@:-------A---C--:------:deny
>            group@:r-x---a---c--s:------:allow
>      group:group_2:-------A---C--:------:deny
>      group:group_2:r-x---a---c--s:------:allow
>            group@:-w-p-D-A---C--:------:deny
>      group:group_2:-w-p-D-A---C--:------:deny
>         everyone@:------a---c--s:------:allow
>         everyone@:rwxp-D-A---C--:------:deny
>
> The ACLs that I''m questioning the need for are:
>
>        group@:-------A---C--:------:deny
>        group:group_2:-------A---C--:------:deny
>
> Wouldn''t these 2 ACLs be covered by the other group deny ACLs?
>
>        group@:-------A---C--:------:deny
>        group@:-w-p-D-A---C--:------:deny
>        and
>        group:group_2:-------A---C--:------:deny
>        group:group_2:-w-p-D-A---C--:------:deny
>
> It would seem to me that the converted POSIX-ACL mask are unnecessary.
>
> Regards,
>
> --
> Darin Perusich
> Unix Systems Administrator
> Cognigen Corporation
> 395 Youngs Rd.
> Williamsville, NY 14221
> Phone: 716-633-3463
> Email: darinper at cognigencorp.com
> _______________________________________________
> zfs-discuss mailing list
> zfs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
>
Take a look at the aclmode and aclinherit properties of the filesystem
(they''re in the zfs manpage).  I know I found the defaults to be
rather surprising (and was pulling what little hair I had out until I
discovered them when trying to get ACLs working on ZFS).

Jason,

Jason King wrote:
> On Fri, Feb 20, 2009 at 2:59 PM, Darin Perusich
> 
> Take a look at the aclmode and aclinherit properties of the filesystem
> (they''re in the zfs manpage).  I know I found the defaults to be
> rather surprising (and was pulling what little hair I had out until I
> discovered them when trying to get ACLs working on ZFS).
The converted ZFS ACLs are working as expected so it isn''t a question
of
whether or not the aclmode and aclinherit are properly set but are these
extra ACLs redundant.

Thanks for mentioned the inheritance flags as it prompted me to read the
docs.

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com