Bug #3528
closed
setting permission with chmod kills delete_child permission on owner acl
50%
Description
Hi,
we do have the following problem:
when a directory has the delete_child permission, after changing mode bits the delete_child right has gone!
See this dialog:
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwx------+ 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:dir_inherit/inherited:allow
1:everyone@:read_attributes/synchronize:inherited:allow
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w# chmod g+rx zz
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwxr-x--- 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/read_attributes
/write_attributes/read_acl/write_acl/write_owner/synchronize:allow
1:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
root@gar-sv-oi02:/gar-home/home/w# chmod A0=owner@:full_set/synchronize:allow zz
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwxr-x---+ 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:allow
1:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
root@gar-sv-oi02:/gar-home/home/w# chmod o+rx zz
root@gar-sv-oi02:/gar-home/home/w# ls -vd zz
drwxr-xr-x 2 root root 2 Feb 5 11:49 zz
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/read_attributes
/write_attributes/read_acl/write_acl/write_owner/synchronize:allow
1:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w# zfs get all gar-home/home | grep aclgar-home/home aclmode passthrough local
gar-home/home aclinherit passthrough-x local
root@gar-sv-oi02:/gar-home/home/w#
root@gar-sv-oi02:/gar-home/home/w# cat /etc/*rel*
OpenIndiana Development oi_151.1.7 X86 (powered by illumos)
Copyright 2011 Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms.
Assembled 03 October 2012
root@gar-sv-oi02:/gar-home/home/w#
We already tried also aclmode=discard and aclinherit=restricted, but to no help.
the missing delete_child permission creates trouble for our windows users, they can not move or delete files.
On a nexenta box this does not happen!
Related issues
Updated by Gordon Ross about 10 years ago
This should be an illumos bug, btw. (I don't have the rights needed to fix that.)
We fixed this in NexentaStor, and had a fix out for review at one point.
I'll try to get someone at Nexenta to resurrect that...
Updated by Rich Lowe about 10 years ago
- Project changed from OpenIndiana Distribution to illumos gate
Updated by Gordon Ross about 10 years ago
- Assignee set to Gordon Ross
OK, I found the workspace where I left this fix parked.
The problem here, btw, is that Windows really expects the DELETE bit to be there
for a "normal" directory where you also have DELETE_CHILD, etc. Unfortunately,
the handling of that bit, and it's interaction with other permission checks
(and in particular the POSIX "sticky" bit) get's rather complicated.
Updated by Gordon Ross almost 10 years ago
- Assignee changed from Gordon Ross to Kevin Crowe
- % Done changed from 0 to 50
Updated by Gordon Ross almost 10 years ago
- Status changed from New to In Progress
Updated by Klaus Steinberger over 9 years ago
Hi Gordon,
what's the status of this bug? Any progress?
Sincerly,
Klaus
Updated by Kevin Crowe over 9 years ago
Just a quick update on progress: I took this bug from Gordon & I have some code changes I'd consider just about ready. There was one finding on an internal code review that I need to address and I hope to move forward in the next week or two retesting and following up on that code review and seeking community feedback.
Updated by
Updated by Yuri Pankov over 6 years ago
- Status changed from In Progress to Feedback
This should be fixed in #6762.
Updated by Yuri Pankov over 6 years ago
- Status changed from Feedback to Closed
Closing as fixed, please reopen if it's still a problem.
Updated by Yuri Pankov over 6 years ago
- Is duplicate of Bug #6762: POSIX write should imply DELETE_CHILD on directories - and some additional considerations added