I believe this ACL will achieve what you're trying to do... with POSIX permissions normally you would set 770 umask and a file create does not preserve execute by default, where a directory does. I have just now learned that with ACL's it does what you told it to do. So we have to recreate that behaviour by having a separate inheritance for both File and Directory.
The last bit, how to preserve the sticky bit, I couldn't quite figure out on a whim... but when I did a "chmod g+s .", the proper "DirInherit and FileInherit:InheritOnly" were added into the ACL... and things worked as expected. $ mmgetacl . #NFSv4 ACL #owner:someuser #group:somegroup special:owner@:rwxc:allow:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:owner@:rw-c:allow:FileInherit:InheritOnly (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwx-:allow:DirInherit (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:group@:rw--:allow:FileInherit:InheritOnly (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:everyone@:----:allow:FileInherit:DirInherit (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED On Fri, Sep 2, 2022 at 1:25 AM Jonathan Buzzard < [email protected]> wrote: > On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote: > > > > > Hi Everyone, > > I'm trying implement some ACLs, however some of the documentation is a > > bit unclear to me. > > > > Using > > > https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists > > as a reference, I'm trying to understand what to use to achieve 0660 > > permissions on files and 2770 on directories. > > > > It's not clear from this whether you are trying to achieve the > equivalent of 0660 and 2770 on files and directories or have an ls show > the permissions as 0660 and 2770. > > > So far, I've managed to achieve 0000 perms, but user with the ACL > > permission can chmod, or 0770 perms. > > > > Basically neither of the above two options is possible because there is > no exact mapping between POSIX permissions and NFSv4 ACL's. > > For example you can't get the equivalent of the set group id permission. > You can however put an inheritable ACL for a group on the directory that > gives r/w plus say search directory and possibly execute permissions if > you want those as well. > > A user with ACL permissions can change permissions that is completely > expected. Note that traditional 2770 permissions are only suggestive, > the file or member of the group would be able to change them to > something else. In fact programs often do when you save, and Samba just > completely ignores them for the most part. At least with NFSv4 ACL's you > can remove the ACL permission :-) > > How permissions display on an ls/stat is not an exact mapping and will > tend to go to something like 0000, but actual ability to access etc. the > file will be based on the ACL not what you see in ls/stat. > > > Attached is a txt file with the mmgetacl output, as well as file > > listing on a test file, and finally, the ACL definition I used. > > > > As one can see in the attachment, the ACL requested appears differently > > for what it _actually_ applied. > > > > What ACL schematics does the file system have? Is it NFSv4 or both? > > If you are wedded to POSIX style permissions perhaps change to POSIX ACL > schematics on the file system? > > > JAB. > > -- > Jonathan A. Buzzard Tel: +44141-5483420 > HPC System Administrator, ARCHIE-WeSt. > University of Strathclyde, John Anderson Building, Glasgow. G4 0NG > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at gpfsug.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
