Re: [storage-discuss] Inherited file permissions problem

Fri, 20 Nov 2009 14:35:45 -0800 

lance wilson wrote:

On my opensolaris file storage machine files created in one zfs file system 
which is then subsequently moved to  another gets an extra acl applied from 
somewhere. The problem with the newly applied acl is that the files are no 
longer readable from the network share. The way to resolve this is to access 
the server and execute a chmod -Rf A- which removes all of the extra and not 
required acls. The problem is I can not find where these file permissions are 
coming from. When I create a file in either of the file systems using touch, 
the files have this set of permissions

     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

This group of permissions looks like the standard ones applied to user and 
group permissions. Now the files that are moved have the permissions below.

     0:owner@:read_data/write_data/append_data/read_attributes
         /write_attributes/read_acl/write_acl/synchronize:allow
     1:owner@:execute:deny
     2:group@:write_data/append_data/execute/write_attributes/write_acl:deny
     3:group@:read_data/read_attributes/read_acl/synchronize:allow
     4:group@:write_data/append_data/execute/write_attributes/write_acl:deny
     5:everyone@:read_data/read_attributes/read_acl/synchronize:allow
     6:everyone@:write_data/append_data/execute/write_attributes/write_acl
         :deny

I have tried removing all of the acls from the file systems by executing the 
chmod command in the roots of the file systems but it has not worked. Can 
anyone provide any suggestions. Also how do you use chmod on a directory only 
not the files?
Are you doing the "mv" over NFS? This looks like a translated ACL. It has the allow/deny pairs as allow/deny instead of deny/allow and you have an extra group@ which is to simulate the ACL mask from a POSIX draft ACL. 

   -Mark
_______________________________________________
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss

Reply via email to