[PATCH] zfsacl: Fix ACL behavior issues with vfs_zfsacl
Jeremy Allison
jra at samba.org
Thu May 16 22:18:51 UTC 2019
On Sat, May 11, 2019 at 03:19:48PM -0400, Andrew Walker via samba-technical wrote:
> This patch addresses two problems that we've seen with ZFS / samba users
> for a while.
> 1) It's not possible in Windows explorer to disable inheritance. I've
> introduced a new zfsacl parameter "zfsacl:map_dacl_protected" to allow this.
>
> 2) If admins remove all special aces (owner@, group@, everyone@), then ZFS
> will automatically append them to the ACL of newly created subdirectories /
> files. In this case, it's just default ZFS inheritance behavior in the
> absence of inheritable special entries. I've introduced a new parameter
> "zfsacl:block_zfs_acl_chmod" to block this behavior. It does so by adding /
> maintaining a hidden empty inheriting everyone@ ACL entry "everyone@
> ::fd:allow".
>
> I believe they are both necessary to avoid POLA violations for Windows
> admins, but have made them default to off (so that we don't affect existing
> install base). I'm happy to make any changes you suggest.
Hi Andrew,
Thanks for this patch. I'm out for a week or so, but I'll
try and get to this once I'm back. In the meantime, feel
free to bug Ralph :-).
Cheers,
Jeremy.
More information about the samba-technical
mailing list