________________________________ From: gpfsug-discuss <[email protected]> on behalf of Christof Schmitt <[email protected]> Sent: 14 September 2023 18:02 To: [email protected] <[email protected]> Subject: Re: [gpfsug-discuss] Unexpected permissions with ACLs > following: > > special:group@:rwx-:allow:DirInherit:InheritOnly > (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE > (X)READ_ACL (X)READ_ATTR (X)READ_NAMED > (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH > (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED > > According to the manual, the DirInherit:InheritOnly should guarantee > that the entry applies only to the new subdirectories but now it is > also affecting new files in the main dir. > Is this an expected behavior?
>From an ACL perspective, yes. "InheritOnly" indicates that this entry does not grant any permissions on the directory. It is only copied as an entry to new files or subdirectories created in this directory. So if this is the only ACL entry, there are indeed no permissions on this directory. You can remove the "InheritOnly" bit, then this would also grant permission on the directory. Or you can add another ACL entry that grants permissions on the directory. I may have not been clear enough, but that ACE has only been added to the previous 3 ACEs, so the complete one for the directory is the following: #NFSv4 ACL #owner:root #group:p15875 special:owner@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwx-:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:everyone@:----:allow (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:owner@:rwx-:allow:DirInherit:InheritOnly (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED So I would expect that the first 3 would still produce a 644 mode on the file. Am I wrong? Cheers, Ivano
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
