Currently I''m still using OpenSolaris b134 and I had used the ''aclmode'' property on my file systems. However, the aclmode property has been dropped now: http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum I''m wondering what will happen to the ACLs on these files and directories if I upgrade to a newer Solaris version (OpenIndiana b147 perhaps). I''m sharing the file systems using CIFS. I was using very simple ACLs like below for easy inheritance of ACLs, which worked OK for my needs. # zfs set aclinherit=passthrough tank/home/fred/projects # zfs set aclmode=passthrough tank/home/fred/projects # chmod A=\ owner@:rwxpdDaARWcCos:fd-----:allow,\ group@:rwxpdDaARWcCos:fd-----:allow,\ everyone@:rwxpdDaARWcCos:fd-----:deny \ /tank/home/fred/projects # chown fred:fred /tank/home/fred/projects # zfs set sharesmb=name=projects tank/home/fred/projects Cheers, Simon -- This message posted from opensolaris.org
Any ideas anyone? -- This message posted from opensolaris.org
Hi Simon, I don''t think you will see much difference for these reasons: 1. The CIFS server ignores the aclinherit/aclmode properties. 2. Your aclinherit=passthrough setting overrides the aclmode property anyway. 3. The only difference is that if you use chmod on these files to manually change the permissions, you will lose the ACL values. Thanks, Cindy On 09/29/10 13:09, Simon Breden wrote:> Currently I''m still using OpenSolaris b134 and I had used the ''aclmode'' property on my file systems. However, the aclmode property has been dropped now: http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum > > I''m wondering what will happen to the ACLs on these files and directories if I upgrade to a newer Solaris version (OpenIndiana b147 perhaps). > > I''m sharing the file systems using CIFS. > > I was using very simple ACLs like below for easy inheritance of ACLs, which worked OK for my needs. > > # zfs set aclinherit=passthrough tank/home/fred/projects > # zfs set aclmode=passthrough tank/home/fred/projects > # chmod A=\ > owner@:rwxpdDaARWcCos:fd-----:allow,\ > group@:rwxpdDaARWcCos:fd-----:allow,\ > everyone@:rwxpdDaARWcCos:fd-----:deny \ > /tank/home/fred/projects > # chown fred:fred /tank/home/fred/projects > # zfs set sharesmb=name=projects tank/home/fred/projects > > Cheers, > Simon
Hi Cindy, That sounds very reassuring. Thanks a lot. Simon -- This message posted from opensolaris.org
On Mon, Oct 04, 2010 at 04:30:05PM -0600, Cindy Swearingen wrote:> Hi Simon, > > I don''t think you will see much difference for these reasons: > > 1. The CIFS server ignores the aclinherit/aclmode properties.Because CIFS/SMB has no chmod operation :)> 2. Your aclinherit=passthrough setting overrides the aclmode > property anyway.aclinherit=passthrough-x is a better choice. Also, aclinherit doesn''t override aclmode. aclinherit applies on create and aclmode used to apply on chmod.> 3. The only difference is that if you use chmod on these files > to manually change the permissions, you will lose the ACL values.Right. That only happens from NFSv3 clients [that don''t instead edit the POSIX Draft ACL translated from the ZFS ACL], from non-Windows NFSv4 clients [that don''t instead edit the ACL], and from local applications [that don''t instead edit the ZFS ACL]. Nico --
On Tue, 5 Oct 2010, Nicolas Williams wrote:> Right. That only happens from NFSv3 clients [that don''t instead edit the > POSIX Draft ACL translated from the ZFS ACL], from non-Windows NFSv4 > clients [that don''t instead edit the ACL], and from local applications > [that don''t instead edit the ZFS ACL].You mean the vast majority of applications in existance ;)? Other than chmod(1) in Solaris, and nfs4_(get|set)_facl in Linux, can you name off the top of your head *any* other applications that grok ZFS/NFSv4 ACLs (as opposed to blindly chmod''ing stuff and breaking your access control <sigh>)? (and GUI front ends to chmod/(get_set)_facl don''t count :) ). I''m still waiting for the bug in Solaris chgrp that breaks ACLs to get fixed; I reported that last year sometime. And *that''s* a core component of the Solaris OS itself; what''s the chance of a timely response from a 3rd party vendor whose application doesn''t play nicely with ACLs? <broken record> If only there was some way to keep applications from screwing up your ACLs with inappropriate uses of chmod... </broken record> -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768