On Fri, Feb 20, 2009 at 2:59 PM, Darin Perusich <darin.perus...@cognigencorp.com> wrote: > Hello All, > > I'm in the process of migrating a file server from Solaris 9, where > we're making extensive use of POSIX-ACLs, to ZFS and I have a question > that I'm hoping someone can clear up for me. I'm using ufsrestore to > restore the data to the ZFS file system so the ACLs are converted to > NFSv4 style ACLs and everything looks good. But when I inspect the > converted ZFS-ACLs it looks to me like there are additional and > redundant ACLs, specifically those converted from the POSIX-ACL mask value. > > In the case I'm looking at the POSIX-ACL being converted on the > directory is as follows: > > # file: test_dir1 > # owner: root > # group: group_1 > user::rwx > group::r-x #effective:r-x > group:group_2:r-x #effective:r-x > mask:rwx > other:--- > > Once the directory is restored to the ZFS file system the ACLs have been > converted to the following: > > drwxr-x---+ 2 root group_1 2 Feb 20 15:00 test_dir1 > owner@:rwxp-DaA--cC-s:------:allow > owner@:--------------:------:deny > group@:-------A---C--:------:deny > group@:r-x---a---c--s:------:allow > group:group_2:-------A---C--:------:deny > group:group_2:r-x---a---c--s:------:allow > group@:-w-p-D-A---C--:------:deny > group:group_2:-w-p-D-A---C--:------:deny > everyone@:------a---c--s:------:allow > everyone@:rwxp-D-A---C--:------:deny > > The ACLs that I'm questioning the need for are: > > group@:-------A---C--:------:deny > group:group_2:-------A---C--:------:deny > > Wouldn't these 2 ACLs be covered by the other group deny ACLs? > > group@:-------A---C--:------:deny > group@:-w-p-D-A---C--:------:deny > and > group:group_2:-------A---C--:------:deny > group:group_2:-w-p-D-A---C--:------:deny > > It would seem to me that the converted POSIX-ACL mask are unnecessary. > > Regards, > > -- > Darin Perusich > Unix Systems Administrator > Cognigen Corporation > 395 Youngs Rd. > Williamsville, NY 14221 > Phone: 716-633-3463 > Email: darin...@cognigencorp.com > _______________________________________________ > zfs-discuss mailing list > zfs-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss >
Take a look at the aclmode and aclinherit properties of the filesystem (they're in the zfs manpage). I know I found the defaults to be rather surprising (and was pulling what little hair I had out until I discovered them when trying to get ACLs working on ZFS). _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
