mapping SYNCHRONIZE permission in NTFS ACL for ZFS

David Disseldorp ddiss at suse.de
Tue Jan 11 16:39:42 MST 2011


Hi Paul,

On Tue, 11 Jan 2011 13:35:19 -0800 (PST)
"Paul B. Henson" <henson at acm.org> wrote:
...
> I also noticed that whenever an acl is set from the windows side, it
> also includes the SYNCHRONIZE permission for all entries. That
> permission isn't listed in the GUI, although the command line icacs
> program allows you to control it. It seems SYNCHRONIZE more or less
> should always be on?

The synchronize permission is a member of all Windows access limitation
groups (Modify, Read & Execute, List Folder Content, Read and Write.
I've not seen any reason to disable it, though that's not mean that
nothing does.

See http://technet.microsoft.com/en-us/library/cc732880.aspx

> From MSDN:
> 
> "The Synchronize permission allows or denies different threads to
> wait on the handle for the file or folder and synchronize with
> another thread that may signal it. This permission applies only to
> multiple-threaded, multiple-process programs. "
> 
> On the other hand, the syncronize permission under zfs is:
> 
>      synchronize (s)         Permission to access file locally at
>                              server  with  synchronize  reads and
>                              writes.
> 
>                              Currently, this  permission  is  not
>                              supported.
> 
> Not only is this completely different, it's not even implemented 8-/.

This appears to be based on the original NFSv4 specification (rfc3530).
FWIW the proposed NFSv4.1 spec (rfc5661) uses a completely different
interpretation of the synchronize permission much closer in line with
the Windows definition:

         Permission to use the file object as a synchronization
         primitive for interprocess communication.  This permission is
         not enforced or interpreted by the NFSv4.1 server on behalf of
         the client.
> 
> I don't really want the zfs syncronize permission set on all my zfs
> stuff. It seems the best thing to do is to simply always flip that
> bit on when the acl is sent to windows, and always flip it off when a
> windows acl is written to a zfs object.
> 
> I wrote a simple patch to do so. Any feedback on whether this is a
> good solution, or recommendations on a better one, would be much
> appreciated.

This will not play nice with applications that explicitly disable the
synchronize permission.

Cheers, David


More information about the samba-technical mailing list