[PATCH] zfsacl: Fix ACL behavior issues with vfs_zfsacl
Andrew Walker
awalker at ixsystems.com
Sat May 11 19:19:48 UTC 2019
This patch addresses two problems that we've seen with ZFS / samba users
for a while.
1) It's not possible in Windows explorer to disable inheritance. I've
introduced a new zfsacl parameter "zfsacl:map_dacl_protected" to allow this.
2) If admins remove all special aces (owner@, group@, everyone@), then ZFS
will automatically append them to the ACL of newly created subdirectories /
files. In this case, it's just default ZFS inheritance behavior in the
absence of inheritable special entries. I've introduced a new parameter
"zfsacl:block_zfs_acl_chmod" to block this behavior. It does so by adding /
maintaining a hidden empty inheriting everyone@ ACL entry "everyone@
::fd:allow".
I believe they are both necessary to avoid POLA violations for Windows
admins, but have made them default to off (so that we don't affect existing
install base). I'm happy to make any changes you suggest.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Fix-ACL-behavior-issues-with-vfs_zfsacl.patch
Type: application/octet-stream
Size: 4380 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190511/04bc999b/Fix-ACL-behavior-issues-with-vfs_zfsacl.obj>
More information about the samba-technical
mailing list