[PATCH] Add "zfsacl:force inheritance special id ace" parameter
Ira Cooper
ira at samba.org
Mon Feb 13 10:06:34 MST 2012
SATOH,
This is a workaround for an explicit kernel behavior in ZFS. What you are
seeing is actually the mode bits from a chmod, being done by the kernel,
you can see how it happens:
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/fs/zfs/zfs_acl.c#1602;
I won't quote the code here, for IP reasons.
I'm not sure about some of your checks after reading that code, but I'd
have to track through things a bit more to be sure.
An edge condition to think about:
$ ls -lV
total 3
drwxr-xr-x+ 2 ira users 2 Feb 13 11:44 dir
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
everyone@:--------------:fd----:allow
$ touch dir/foo
$ ls -dV dir/foo
----------+ 1 ira users 0 Feb 13 11:45 dir/foo
everyone@:--------------:------:allow
If an NFSV3 user made a file in that directory, he'd never know the ACE was
there, and he'd be pretty confused about what just happened! This is a
general issue with ACEs but this really amplifies the issues. I'd expect
the windows user who made the directory would be surprised by the results
also.
That said, at least on my NexentaOS_134f box, and I assume on Illumos, I
don't get any of the negative entries, so the issue with explorer shouldn't
happen, this is using your original reproduction steps:
-rw-r--r--+ 1 ira users 0 Feb 13 08:34
dir/file-inherit-bad-ace
group:staff:rwxpd-aARWcCos:------I:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
------
I suspect there's a better answer. But we need to understand more of the
situation, and what the correct set of permissions at the end should be.
Thanks,
-Ira
On Sat, Feb 11, 2012 at 4:04 AM, SATOH Fumiyasu <fumiyas at osstech.co.jp>wrote:
> Append the non-effective ACE 'everyone@::fd:allow' if the
> specified ACL has no inheritance special id ACE.
>
> When a directory has no inheritance special id ACE (i.e.,
> 'owner@', 'group@' and 'everyone@' with inheritance flags),
> a new file under the directory inherits the ACL with unexpected
> DENY special id ACEs. It is NOT compatible with Windows explorer
> ACL editor.
>
> $ uname -a
> SunOS fmys-s10 5.10 Generic_142910-17 i86pc i386 i86pc
> $ zfs get aclinherit rpool/share
> NAME PROPERTY VALUE SOURCE
> rpool/share aclinherit passthrough local
> $ mkdir dir
>
> $ chmod A=group:staff:rwxpd-aARWcCos:fd----:allow dir
> $ touch dir/file-inherit-bad-ace
> $ ls -dV dir dir/file-inherit-bad-ace
> d---------+ 2 root root 3 Feb 11 19:01 dir
> group:staff:rwxpd-aARWcCos:fd----:allow
> -rw-r--r--+ 1 root root 0 Feb 11 19:01
> dir/file-inherit-bad-ace
> group:staff:-wxp----------:------:deny
> group:staff:rwxpd-aARWcCos:------:allow
> owner@:--x-----------:------:deny
> owner@:rw-p---A-W-Co-:------:allow
> group@:-wxp----------:------:deny
> group@:r-------------:------:allow
> everyone@:-wxp---A-W-Co-:------:deny
> everyone@:r-----a-R-c--s:------:allow
>
> $
>
> $ touch dir/file-inherit-good-ace
> $ ls -dV dir dir/file-inherit-good-ace
> d---------+ 2 root root 4 Feb 11 19:02 dir
> group:staff:rwxpd-aARWcCos:fd----:allow
> everyone@:--------------:fd----:allow
> ----------+ 1 root root 0 Feb 11 19:02
> dir/file-inherit-good-ace
> group:staff:rwxpd-aARWcCos:------:allow
> everyone@:--------------:------:allow
> ---
> source3/modules/vfs_zfsacl.c | 36 +++++++++++++++++++++++++++++++++++-
> 1 files changed, 35 insertions(+), 1 deletions(-)
>
> diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
> index 286720a..a9e078c 100644
> --- a/source3/modules/vfs_zfsacl.c
> +++ b/source3/modules/vfs_zfsacl.c
> @@ -113,10 +113,12 @@ static bool zfs_process_smbacl(files_struct *fsp,
> SMB4ACL_T *smbacl)
> SMB4ACE_T *smbace;
> TALLOC_CTX *mem_ctx;
> bool have_special_id = false;
> + bool have_file_inheritance_special_id = false;
> + bool have_dir_inheritance_special_id = false;
>
> /* allocate the field of ZFS aces */
> mem_ctx = talloc_tos();
> - acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
> + acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*(naces+1));
> if(acebuf == NULL) {
> errno = ENOMEM;
> return False;
> @@ -151,6 +153,13 @@ static bool zfs_process_smbacl(files_struct *fsp,
> SMB4ACL_T *smbacl)
> continue; /* don't add it !!! */
> }
> have_special_id = true;
> + if (acebuf[i].a_flags & ACE_FILE_INHERIT_ACE) {
> + have_file_inheritance_special_id = true;
> + }
> + if (acebuf[i].a_flags & ACE_DIRECTORY_INHERIT_ACE
> &&
> + !(acebuf[i].a_flags &
> ACE_NO_PROPAGATE_INHERIT_ACE)) {
> + have_dir_inheritance_special_id = true;
> + }
> }
> }
>
> @@ -163,6 +172,31 @@ static bool zfs_process_smbacl(files_struct *fsp,
> SMB4ACL_T *smbacl)
>
> SMB_ASSERT(i == naces);
>
> + /* Solaris 10 hack: Append the non-effective ACE
> + * 'everyone@::fd:allow' if the specified ACL has no
> + * inheritance special id ACE.
> + *
> + * When a directory has no inheritance special id ACE
> + * (i.e., 'owner@', 'group@' and 'everyone@' with
> + * inheritance flags), a new file under the directory
> + * inherits the ACL with unexpected DENY special id
> + * ACEs. It is NOT compatible with Windows explorer
> + * ACL editor.
> + */
> + if ((!have_file_inheritance_special_id ||
> !have_dir_inheritance_special_id) &&
> + lp_parm_bool(fsp->conn->params->service, "zfsacl",
> + "force inheritance special id ace",
> + false)) {
> + acebuf[naces].a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
> + acebuf[naces].a_flags =
> + ACE_EVERYONE |
> + ACE_FILE_INHERIT_ACE |
> + ACE_DIRECTORY_INHERIT_ACE;
> + acebuf[naces].a_access_mask = 0;
> + acebuf[naces].a_who = 0;
> + naces++;
> + }
> +
> /* store acl */
> if(acl(fsp->fsp_name->base_name, ACE_SETACL, naces, acebuf)) {
> if(errno == ENOSYS) {
> --
> 1.7.9
>
>
More information about the samba-technical
mailing list