On 3/22/07, Mark Shellenbaum <[EMAIL PROTECTED]> wrote:
> > Please explain how. I've been trying to make this work for months with > no success. > > The business requirement is that all files in a directory hierarchy be > created > mode 660 - read and write by owner and primary group. How do I do > this? > # zfs set aclmode=passthrough <dataset> # mkdir dir.test # chmod A+group:<somegroup>:<desired perms>:fd:allow dir.test create files and directories under dir.test. This should allow anyone in the the desired group to read/write all files, and the passthrough of aclmode stops chmod(2) from prepending deny entries.
This fails in a number of ways. The apparent permissions do not show group write: -rw-r--r--+ 1 ptribble sysadmin 796 Mar 22 21:11 foo Related to this, if you transfer the files somewhere else that doesn't support these ACLs, then you lose the ACL protection and get the permission bits, which may well be incorrect. You have to specify the group. This isn't always viable. The requirement in at least some cases is that it is the user's primary group, and will vary between files and directories. Related to that, if you do a chgrp, the permissions don't get reset. The ACL isn't rewritten to change the name of the group. We need the ability for the ACL to apply to the owner and group owner of the file, not some named group. The file has an explicit ACL. That's not what we want. We just need the permissions set according to the rules defined in various policies. This leads to a number of other issues (in addition to the copy losing information as described above). Just because it has an ACL, rcp can't transfer it onto a non-ZFS filesystem: rcp bentley:/samba/peter/dir.test/foo . rcp: failed to set acl And foo doesn't get transferred at all, leading to data loss. Having an ACL makes it much harder to do an audit to verify that access is correctly controlled. Another interesting issue I just noticed in trying to work around the above problems is that find -acl doesn't give me the files - it only finds the top-level directory. This is for both zfs and ufs on S10U3 - it works fine for ufs on S10 FCS. It looks like we're between a rock and a hard place. We want to use ZFS for one project because of snapshots and data integrity - both would give us considerable advantages over ufs (not to mention filesystem size). Unfortunately, this is critical company data and the access control has to be exactly right all the time: the default ACLs as implemented in UFS are exactly what we need and work perfectly. My next question was going to be what the best way to transfer an existing set of data to zfs while preserving the ACLs, but it would appear that isn't even possible. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
