On Thu, Sep 30, 2010 at 03:28:14PM -0500, Nicolas Williams wrote: > Consider this chronologically-ordered sequence of events: > > 1) File is created via Windows, gets SMB/ZFS/NFSv4-style ACL, including > inherittable ACEs. A mode computed from this ACL might be 664, say. > > 2) A Unix user does chmod(644) on that file, and one way or another this > effectively reduces permissions otherwise granted by the ACL. > > 3) Another Windows user now fails to get write perm that they should > have, so they complain, and then the owner tries to view/change the > ACL from a Windows desktop. > > Now what? > > Can the user in (3) fix the permissions from Windows? For that to be > possible the mode must implicitly get recomputed when the ACL is > modified.
Also, even if in (3) the user can fix the perms from Windows because we'd recompute the mode from the ACL, the user wouldn't be able to see the "effective" ACL (as "reduced" by the mode_t that Windows can't see). The only way to address that is... to do groupmasking. And that gets us back to the problems we had with groupmasking. Nico -- _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss