Bug #3528
closed
setting permission with chmod kills delete_child permission on owner acl
50%
Description
Hi,
we do have the following problem:
when a directory has the delete_child permission, after changing mode bits the delete_child right has gone!
See this dialog:
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwx------+ 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:dir_inherit/inherited:allow
1:everyone@:read_attributes/synchronize:inherited:allow
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w# chmod g+rx zz
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwxr-x--- 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/read_attributes
/write_attributes/read_acl/write_acl/write_owner/synchronize:allow
1:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
root@gar-sv-oi02:/gar-home/home/w# chmod A0=owner@:full_set/synchronize:allow zz
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwxr-x---+ 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:allow
1:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
root@gar-sv-oi02:/gar-home/home/w# chmod o+rx zz
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwxr-xr-x 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/read_attributes
/write_attributes/read_acl/write_acl/write_owner/synchronize:allow
1:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w# zfs get all gar-home/home | grep aclgar-home/home aclmode passthrough local
gar-home/home aclinherit passthrough-x local
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w# cat /etc/*rel*
OpenIndiana Development oi_151.1.7 X86 (powered by illumos)
Copyright 2011 Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms.
Assembled 03 October 2012
root@gar-sv-oi02:/gar-home/home/w#
We already tried also aclmode=discard and aclinherit=restricted, but to no help.
the missing delete_child permission creates trouble for our windows users, they can not move or delete files.
On a nexenta box this does not happen!
Related issues
Updated by Gordon Ross over 8 years ago
This should be an illumos bug, btw. (I don't have the rights needed to fix that.)
We fixed this in NexentaStor, and had a fix out for review at one point.
I'll try to get someone at Nexenta to resurrect that...
Updated by Rich Lowe over 8 years ago
- Project changed from OpenIndiana Distribution to illumos gate
Updated by Gordon Ross over 8 years ago
- Assignee set to Gordon Ross
OK, I found the workspace where I left this fix parked.
The problem here, btw, is that Windows really expects the DELETE bit to be there
for a "normal" directory where you also have DELETE_CHILD, etc. Unfortunately,
the handling of that bit, and it's interaction with other permission checks
(and in particular the POSIX "sticky" bit) get's rather complicated.
Updated by Gordon Ross over 8 years ago
- Assignee changed from Gordon Ross to Kevin Crowe
- % Done changed from 0 to 50
Updated by Klaus Steinberger about 8 years ago
Hi Gordon,
what's the status of this bug? Any progress?
Sincerly,
Klaus
Updated by Kevin Crowe about 8 years ago
Just a quick update on progress: I took this bug from Gordon & I have some code changes I'd consider just about ready. There was one finding on an internal code review that I need to address and I hope to move forward in the next week or two retesting and following up on that code review and seeking community feedback.
Updated by
Updated by Yuri Pankov about 5 years ago
- Status changed from In Progress to Feedback
This should be fixed in #6762.
Updated by Yuri Pankov about 5 years ago
- Status changed from Feedback to Closed
Closing as fixed, please reopen if it's still a problem.
Updated by Yuri Pankov about 5 years ago
- Is duplicate of Bug #6762: POSIX write should imply DELETE_CHILD on directories - and some additional considerations added