mapping SYNCHRONIZE permission in NTFS ACL for ZFS

Tue Jan 11 16:56:26 MST 2011

On Wed, Jan 12, 2011 at 12:39:42AM +0100, David Disseldorp wrote:
> Hi Paul,
> 
> On Tue, 11 Jan 2011 13:35:19 -0800 (PST)
> "Paul B. Henson" <henson at acm.org> wrote:
> ...
> > I also noticed that whenever an acl is set from the windows side, it
> > also includes the SYNCHRONIZE permission for all entries. That
> > permission isn't listed in the GUI, although the command line icacs
> > program allows you to control it. It seems SYNCHRONIZE more or less
> > should always be on?
> 
> The synchronize permission is a member of all Windows access limitation
> groups (Modify, Read & Execute, List Folder Content, Read and Write.
> I've not seen any reason to disable it, though that's not mean that
> nothing does.
> 
> See http://technet.microsoft.com/en-us/library/cc732880.aspx
> 
> > From MSDN:
> > 
> > "The Synchronize permission allows or denies different threads to
> > wait on the handle for the file or folder and synchronize with
> > another thread that may signal it. This permission applies only to
> > multiple-threaded, multiple-process programs. "
> > 
> > On the other hand, the syncronize permission under zfs is:
> > 
> >      synchronize (s)         Permission to access file locally at
> >                              server  with  synchronize  reads and
> >                              writes.
> > 
> >                              Currently, this  permission  is  not
> >                              supported.
> > 
> > Not only is this completely different, it's not even implemented 8-/.
> 
> This appears to be based on the original NFSv4 specification (rfc3530).
> FWIW the proposed NFSv4.1 spec (rfc5661) uses a completely different
> interpretation of the synchronize permission much closer in line with
> the Windows definition:
> 
>          Permission to use the file object as a synchronization
>          primitive for interprocess communication.  This permission is
>          not enforced or interpreted by the NFSv4.1 server on behalf of
>          the client.
> > 
> > I don't really want the zfs syncronize permission set on all my zfs
> > stuff. It seems the best thing to do is to simply always flip that
> > bit on when the acl is sent to windows, and always flip it off when a
> > windows acl is written to a zfs object.
> > 
> > I wrote a simple patch to do so. Any feedback on whether this is a
> > good solution, or recommendations on a better one, would be much
> > appreciated.
> 
> This will not play nice with applications that explicitly disable the
> synchronize permission.

Actually I've yet to see any application do so - at least for file
permissions.

I'd probably recommend just always setting the SYNCHRONIZE_ACCESS
bit when returning an ACL from ZFS/NFSv4 within Samba, and just
ignoring whether it's set on or not on read.

Jeremy.