Hi all, I am currently working with ACLs to find out a proper set that would fit our use case. And narrowing down I found out a very simple case that looks quite weird.
The use case is the following. I create a directory with 2770 mode and root:p15875 ownership, without applying any explicit ACLs. The system returns this as the default ACLs generated by the permissions/mode: #NFSv4 ACL #owner:root #group:p15875 special:owner@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:everyone@:----:allow (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED If I touch a new file inside that dir with a user that is a member of that group, it gets created with 644. So far so good. Now if via mmeditacl I add the following entry to the ACL of the dir, new files get created with 000 permissions. The new entry is the following: special:group@:rwx-:allow:DirInherit:InheritOnly (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED According to the manual, the DirInherit:InheritOnly should guarantee that the entry applies only to the new subdirectories but now it is also affecting new files in the main dir. Is this an expected behavior? The filesystem version is 5.1.5.0 and is configured with nfs4 ACLs only. In general, am struggling a lot with the NFS4 ACLs and I also find the IBM documentation [1] quite poor in this context. So if someone can point me to better resources that would be very welcome. Thanks, Ivano [1] https://www.ibm.com/docs/en/storage-scale/5.0.2?topic=administration-nfs-v4-acl-syntax __________________________________________ Paul Scherrer Institut Ivano Talamo WHGA/038 Forschungsstrasse 111 5232 Villigen PSI Schweiz Phone: +41 56 310 47 11 E-Mail: [email protected]
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
