Project

General

Profile

Bug #6763

aclinherit=restricted masks inherited permissions by group perms (groupmask)

Added by Yuri Pankov over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
zfs - Zettabyte File System
Start date:
2016-03-19
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:

Description

(by Albert)

According to zfs(1M) description of the aclinherit property: "The property value restricted (the default) removes the write_acl and write_owner permissions when the ACL entry is inherited."

However, when aclinherit=restricted is set for a dataset, we apply similar behaviour to aclmode=groupmask when calculating the inherited permissions, which drops any ALLOW ACL entries not present in the UNIX permissions for the group (group@).

This was reported for FreeBSD, with an example:
http://lists.freebsd.org/pipermail/freebsd-fs/2013-August/018057.html

This was already present after the aclmode removal and may reflect a change in aclinherit=restricted semantics that we don't have documented, although I'm not sure what purpose it serves.

When I restored aclmode I preserved this behaviour and actually corrected a bug:
https://www.illumos.org/issues/664

It is unclear what the proper semantics should be.

Steps to Reproduce:
- Set aclmode=restricted on a dataset.
- Add ALLOW ACEs (for something other than owner@/group@/everyone@, such as a specific user or group) with file_inherit or directory_inherit and unset some corresponding permissions in the ACE for group@ on a parent directory.
- Possibly also set umask, if using a shell, to restrict group perms (not sure if this also causes the problem, perhaps worth trying separately).
- Create new files or directories in the parent directory and check their ACLs.

Expected Results:
ACLs should contain the original inherited ALLOW ACEs, not masked by group perms. Only write_acl and write_owner should be dropped as documented.

Actual Results:
Permissions not present in group@ will vanish in the newly created file.


Related issues

Precedes illumos gate - Bug #6875: fix zfs-tests ACL casesClosed2016-03-212016-03-21

Actions

History

#1

Updated by Yuri Pankov over 3 years ago

  • Precedes Bug #6875: fix zfs-tests ACL cases added
#2

Updated by Electric Monk over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 851632d6a88d512574719953cc01ae7c2ed66b88

commit  851632d6a88d512574719953cc01ae7c2ed66b88
Author: Albert Lee <trisk@nexenta.com>
Date:   2016-04-20T15:33:54.000Z

    6763 aclinherit=restricted masks inherited permissions by group perms (groupmask)
    Reviewed by: Gordon Ross <gwr@nexenta.com>
    Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF