Thomas Fili
2009-Jun-22 12:16 UTC
[zfs-discuss] Creating ZFS filesystem with inherited ACLs ?
Hi @all,
with ZFS its recommended to create a new filesystem, for example for each user
to give them a home directory.
So far, so good. The homes should be under tank/export/home/staff and my
intention is to restrict the ACL rights so only the user self can access his own
home directory.
I study the ZFS Admin Guide and found the aclmode and aclinherit options, IMHO
for my intention the following configuration fits my wishes / needs.
zfs set aclmode=discard tank/export/home/staff
zfs set aclinherit=passthrough-x tank/export/home/staff
Now i set the ACLs on these staff directory :
/bin/chmod A=owner@:rwxp---A-W-Cos:-------:allow /export/home/staff
/bin/chmod A1+owner@:rwxp---A-W-Cos:fdi----:allow /export/home/staff
/bin/chmod A2+group@:r-x---a-R-c--s:-------:allow /export/home/staff
/bin/chmod A3+everyone@:------a-R-c--s:fdi----:allow /export/home/staff
/bin/chmod A4+everyone@:------a-R-c--s:-------:allow /export/home/staff
Creating a "normal" directory resulting in expected mode:
mkdir /export/home/staff/userx
/bin/ls -Vd /export/home/staff/userx
drwx------+ 2 root root 2 Jun 22 09:27 /export/home/staff/userx
owner@:rwxp---A-W-Cos:fdi---I:allow
owner@:rwxp---A-W-Cos:------I:allow
everyone@:------a-R-c--s:fdi---I:allow
everyone@:------a-R-c--s:------I:allow
But when creating a new filesystem the ACL stay unchanged
zfs create tank/export/home/staff/usery
/bin/ls -Vd /export/home/staff/usery
drwxr-xr-x 2 root root 2 Jun 22 09:40 /export/home/staff/usery
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
I played around with aclmode and aclinherit but creating a new zfs filesystem
always resulting in the same ACL.
Is this the intended behavior by the developers of ZFS ?
Or is there any posibility to create a filesystem considering inherited ACLs ?
Thomas
--
This message posted from opensolaris.org
Mark Shellenbaum
2009-Jun-22 14:13 UTC
[zfs-discuss] Creating ZFS filesystem with inherited ACLs ?
Thomas Fili wrote:> Hi @all, > > with ZFS its recommended to create a new filesystem, for example for each user to give them a home directory. > > So far, so good. The homes should be under tank/export/home/staff and my intention is to restrict the ACL rights so only the user self can access his own home directory. > > I study the ZFS Admin Guide and found the aclmode and aclinherit options, IMHO for my intention the following configuration fits my wishes / needs. > > zfs set aclmode=discard tank/export/home/staff > zfs set aclinherit=passthrough-x tank/export/home/staff > > Now i set the ACLs on these staff directory : > > /bin/chmod A=owner@:rwxp---A-W-Cos:-------:allow /export/home/staff > /bin/chmod A1+owner@:rwxp---A-W-Cos:fdi----:allow /export/home/staff > /bin/chmod A2+group@:r-x---a-R-c--s:-------:allow /export/home/staff > /bin/chmod A3+everyone@:------a-R-c--s:fdi----:allow /export/home/staff > /bin/chmod A4+everyone@:------a-R-c--s:-------:allow /export/home/staff > > Creating a "normal" directory resulting in expected mode: > > mkdir /export/home/staff/userx > > /bin/ls -Vd /export/home/staff/userx > > drwx------+ 2 root root 2 Jun 22 09:27 /export/home/staff/userx > owner@:rwxp---A-W-Cos:fdi---I:allow > owner@:rwxp---A-W-Cos:------I:allow > everyone@:------a-R-c--s:fdi---I:allow > everyone@:------a-R-c--s:------I:allow > > > But when creating a new filesystem the ACL stay unchanged > > zfs create tank/export/home/staff/usery > > /bin/ls -Vd /export/home/staff/usery > > drwxr-xr-x 2 root root 2 Jun 22 09:40 /export/home/staff/usery > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow > > > > I played around with aclmode and aclinherit but creating a new zfs filesystem always resulting in the same ACL. > > Is this the intended behavior by the developers of ZFS ?Currently no ACL inheritance takes place when a new file system is created. Feel free to open an RFE for this.> > Or is there any posibility to create a filesystem considering inherited ACLs ?It would be possible with some restrictions. Such as we must be inheriting the aclinherit/aclmode properties and the parent directory must also be a ZFS file system and you must be using the default mount point.> > > Thomas
Thomas Fili
2009-Jun-23 06:48 UTC
[zfs-discuss] Creating ZFS filesystem with inherited ACLs ?
Hi,> Currently no ACL inheritance takes place when a new > file system is > created. Feel free to open an RFE for this.Thank you for your reply ... Good to know about it, but its really simple to write a small shell-script that would create the home directory, change ownership and set the ACL depending on the user and group. On the other hand, i could not belive that no one note this before ;) I''m sure the developers aware about it, but many things are more important than this ... Ok, i would like to ask about common procedures for the ACLs too, but i will create a new thread for this, maybe later ...> It would be possible with some restrictions. Such as > we must be > inheriting the aclinherit/aclmode properties and the > parent directory > must also be a ZFS file system and you must be using > the default mount > point.Hmm ... would be possible ??? These restrictions seemed to be harmless. For a test, i created tank/test an tank/test/home as a zfs filesystems with the default mount point /tank. I set aclinherit/aclmode for tank/test so it would be inherited to tank/test/home Then i set the ACL on tank/test but the ACL shall not be inherited ... tank/test/home was certainly created after setting the ACLs .. So i think actualy it is not possible, but it might be possible in the future ? Or had i misunderstood your comment ? Thomas -- This message posted from opensolaris.org