misc/174950: delete ZFS ACL have no effect
Sandra
littlesandra88 at gmail.com
Thu Jan 3 15:50:03 UTC 2013
>Number: 174950
>Category: misc
>Synopsis: delete ZFS ACL have no effect
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 03 15:50:03 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Sandra
>Release: 9
>Organization:
>Environment:
>Description:
The d ZFS ACL is suppose to give or deny permission to delete a file. It have no effect.
The below is the output from the script in "How to repeat the problem", and please notice:
* Eventhough www doesn't have delete permission and there is an explicit deny, rm was possible.
p="/tank/project1"
f="$p/test2"
u="user1"
rm -f $f
setfacl -b $p
setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1
setfacl -m u:www:rwxa:fd:allow $p || exit 1
setfacl -m u:www:d:fd:deny $p || exit 1
getfacl $p
# file: /tank/project1
# owner: root
# group: wheel
user:www:-----d--------:fd----:deny
user:www:rwx---a-------:fd----:allow
user:user1:rwxpDdaARWcCos:fd----:allow
owner@:rwx-----------:fd----:allow
group@:--------------:fd----:allow
everyone@:--------------:fd----:allow
su -m $u -c "touch $f"
getfacl $f
# file: /tank/project1/test2
# owner: user1
# group: wheel
user:www:-----d--------:------:deny
user:www:rw----a-------:------:allow
user:user1:rw-pDdaARWcCos:------:allow
owner@:rw------------:------:allow
group@:--------------:------:allow
everyone@:--------------:------:allow
su -m www -c "ls -l $f"
ls: /tank/project1/test2: Permission denied
-rw------- 1 user1 wheel 0 Dec 19 14:23 /tank/project1/test2
su -m www -c "rm $f"
ls -l $f
ls: /tank/project1/test2: No such file or directory
>How-To-Repeat:
p="/tank/project1"
f="$p/test2"
u="user1"
rm -f $f
setfacl -b $p
setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1
setfacl -m u:www:rwxa:fd:allow $p || exit 1
setfacl -m u:www:d:fd:deny $p || exit 1
getfacl $p
su -m $u -c "touch $f"
getfacl $f
su -m www -c "ls -l $f"
su -m www -c "rm $f"
ls -l $f
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list