ZFS deletes ACLs when root edits a file

[Andrew Leonard]

On Tue, Jun 12, 2012 at 7:42 AM, Fabian Keil
<freebsd-listen at fabiankeil.de> wrote:

> Marc Peters <marc at mpeters.org> wrote:
>
>> i observed a strange behaviour when using ACLs on a ZFS filesystem.
>> When a file has ACLs set and is edited by a user, the ACLs get lost
>> when the file is edited and saved.
>>
>> How to repeat:
>>
>> > mount
>> /dev/aacd0s1a on / (ufs, local)
>> devfs on /dev (devfs, local, multilabel)
>> /dev/aacd0s1d on /var (ufs, local, soft-updates)
>> appdata on /appdata (zfs, local, nfsv4acls)
>> /dev/md0 on /appdata/www/cache (ufs, local, soft-updates)
>>
>> > ls -al
>> total 3
>> drwxr-xr-x  2 mpeters  wheel  2 Jun 12 15:31 .
>> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
>> > touch test.file ls -al
>> total 4
>> drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 .
>> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
>> - -rw-r--r--  1 mpeters  wheel  0 Jun 12 15:32 test.file
>> > getfacl test.file
>> # file: test.file
>> # owner: mpeters
>> # group: wheel
>>             owner@:rw-p--aARWcCos:------:allow
>>             group@:r-----a-R-c--s:------:allow
>>          everyone@:r-----a-R-c--s:------:allow
>> > setfacl -m user:nobody:rwx::allow test.file ls -al
>> total 4
>> drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 .
>> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
>> - -rw-r--r--+ 1 mpeters  wheel  0 Jun 12 15:32 test.file
>> > getfacl test.file
>> # file: test.file
>> # owner: mpeters
>> # group: wheel
>>        user:nobody:rwx-----------:------:allow
>>             owner@:rw-p--aARWcCos:------:allow
>>             group@:r-----a-R-c--s:------:allow
>>          everyone@:r-----a-R-c--s:------:allow
>> > vim test.file
>> (do some editing here)
>> "test.file" 2 lines, 12 characters written
>> > ls -al
>> total 4
>> drwxr-xr-x  2 mpeters  wheel   3 Jun 12 15:35 .
>> drwxr-xr-x  5 root     wheel   5 Jun 12 15:29 ..
>> - -rw-r--r--  1 mpeters  wheel  12 Jun 12 15:35 test.file
>> > getfacl test.file
>> # file: test.file
>> # owner: mpeters
>> # group: wheel
>>             owner@:rw-p--aARWcCos:------:allow
>>             group@:r-----a-R-c--s:------:allow
>>          everyone@:r-----a-R-c--s:------:allow
>>
>> As you can see, the ACL for user nobody is gone.
>>
>> Is this behaviour intended?
>
> It is expected if vim replaced the original test.file
> with a modified file with the same name, instead of
> actually editing the original file directly.
>
> To confirm that this is happening you could truss
> vim or run "ls -i test.file" before and after using
> vim (this is probably less reliable, though).
>
> The ACLs shouldn't get lost if you really modify the
> original, for example with:
>
> echo blafasel >> test.file

Also, take a look at what you have the aclmode property set to on the
ZFS file system.  If you have it set to "discard" and if vim makes a
chmod(2) call on the original file, then the ACL entries that do not
represent the mode of the file will be discarded.

-Andy

> Fabian