Andrew Watkins wrote:
[I did post this in NFS, but I think it should be here]
I am playing with ACL on snv_114 (and Storage 7110) system and I have
noticed that strange things are happing to ACL's or am I doing something
wrong.
When you create a new sub-directory or file the ACL's seem to be incorrect.
Its actually doing exactly what its suppose to do. See below for
explanation.
# zfs create rpool/export/home/andrew
# zfs set aclinherit=passthrough rpool/export/home/andrew
# zfs set aclmode=passthrough rpool/export/home/andrew
# chown andrew:staff /export/home/andrew
# chmod "A+user:oxygen:rwxpdDaARWcCos:fd-----:allow" /export/home/andrew
# ls -ldV /export/home/andrew
drwxr-xr-x+ 3 andrew staff 3 Jun 19 17:09 /export/home/andrew
user:oxygen:rwxpdDaARWcCos:fd-----:allow
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
# mkdir /export/home/andrew/foo
# ls -ldV /export/home/andrew/foo
drwxr-xr-x+ 2 andrew staff 2 Jun 19 17:09
/export/home/andrew/foo
user:oxygen:rwxpdDaARWcCos:fdi---I:allow <<Altered
The entry with the inheritance flags of "fdi" is an inherit only ACE
which does NOT affect access control and is used for future propagation
to children of the new directory.
This is done since chmod(2) *may* under some situations alter/reduce the
permission(s) of ACEs that affect access control. A chmod(2) operation
never alters "inherit only" ACEs. This then allows future
directories/files to always inherit the same ACL as its parent, or
parents parent and so on.
user:oxygen:rwxpdDaARWcCos:------I:allow <<NEW
The "I" indicates the ACE was inherited. This is the ACE that will used
during access control.
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
