[PATCH] zfsacl: Fix ACL behavior issues with vfs_zfsacl

Jeremy Allison jra at samba.org
Wed May 29 00:00:03 UTC 2019


On Mon, May 27, 2019 at 11:34:17AM +0200, Ralph Boehme via samba-technical wrote:
> Hi Andrew,
> 
> On 5/20/19 1:00 PM, Andrew Walker via samba-technical wrote:
>  > Thanks for the feedback and suggestions. I'll try to get this done this
> > week or next week. You are correct that ZFS has the  NFSv4.1 ACL flags, but
> > FreeBSD does not currently implement NFSv4.1 ACL inheritance. The
> > suggestion of just mapping what we receive over the wire is a good one. I
> > could probably do this for the case of Solaris and Illumos.
> > 
> > One possible alternative is that I could move this logic/lies to libsunacl
> > (the library that maps ZFS ACLs to FreeBSD ACLs) so that there won't be a
> > FreeBSD-specific parameter for vfs_zfsacl. In this case the only thing I
> > would need to add to fix disabling inheritance in samba is mapping the
> > NFSv4.1 ACL flags to control flags like gpfs does.
> > 
> > Let me know if you prefer the second approach.
> 
> Not sure if I like either of both. :)
> 
> Iirc the protected flag only comes to play client side, when Windows
> Explorer performs tree inheritance for new created ACEs. My NT ACL mind
> model is currently swapped out and not fully swapped back in, so I might
> be missing something. Jeremy?

No, I'm pretty sure you're correct there. You just need to
make sure you get it right on create.

> So basically the only thing you need to implement this in the filesystem
> is storing the flag, no need to attach any semantics to it in the
> filesystem. The chmod command could be updated to honor the flag when
> appyling ACL changes in directory tree mode, not sure if how GPFS
> handles this.
> 
> Christof do you know? I guess chmod on GPFS will ignore the protected flag.
> 
> So ideally we could convince the OpenZFS folks to add the flag and store
> it on disk. I'm still not convinced that setting the flag for any ACL
> that doesn't contain inheritable ACEs is a good idea.
> 
> Thoughts?
> -slow
> 
> -- 
> Ralph Boehme, Samba Team                https://samba.org/
> Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
> GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

pub   RSA 2048/0FBC2354 2019-05-18 Ralph Boehme <slow at samba.org>
> sub   RSA 2048/F91FA2D5 2019-05-18
> 



More information about the samba-technical mailing list