zfs - no access to a Mac OS X zfs pool without root privileges
Boris Kotzev
boris.kotzev at gmail.com
Fri Aug 8 13:00:55 UTC 2008
На Friday 08 August 2008 06:39:02 написахте:
> On Thu, Aug 07, 2008 at 08:40:55PM +0300, Boris Kotzev wrote:
> > ?? Thursday 07 August 2008 19:55:02 Jeremy Chadwick ??????:
> > > On Thu, Aug 07, 2008 at 07:25:45PM +0300, Boris Kotzev wrote:
> > > > Hello,
> > > >
> > > > I used the zfs port to Mac OS X (http://zfs.macosforge.org)
> > > > to create a storage pool under Mac OS X. The pool can be
> > > > imported successfully under FreeBSD:
> > > >
> > > > root:~-114# zpool import macpool
> > > > root:~-115# zpool list macpool
> > > > NAME SIZE USED AVAIL CAP HEALTH ALTROOT
> > > > macpool 6,94G 510K 6,94G 0% ONLINE -
> > > > root:~-116# zfs list macpool
> > > > NAME USED AVAIL REFER MOUNTPOINT
> > > > macpool 474K 6,83G 308K /macpool
> > > >
> > > > and is fully accessible to the root user:
> > > >
> > > > root:~-118# id
> > > > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
> > > > root:~-119# ls -ld /macpool
> > > > drwxr-xr-x 7 root wheel 8 7 ??? 16:59 /macpool
> > > > root:~-120# ls -l /macpool
> > > > total 43
> > > > drwx------ 3 root wheel 3 7 ??? 16:31 .Spotlight-V100
> > > > -rw-r--r-- 1 root wheel 35014 7 ??? 16:31
> > > > .VolumeIcon.icns drwx------ 2 root wheel 4 7 ???
> > > > 16:32 .fseventsd drwxr-xr-x 2 root wheel 2 7 ???
> > > > 16:59 backup drwxr-xr-x 2 root wheel 2 7 ??? 16:59
> > > > downloads drwxr-xr-x 2 root wheel 2 7 ??? 16:58 music
> > > >
> > > > According to the file permissions on /macpool (drwxr-xr-x),
> > > > anyone should have read access to it. This is not the case
> > > > though:
> > > >
> > > > root:~-121# su user
> > > > % id
> > > > uid=1003(user) gid=1003(user)
> > > > groups=1003(user),0(wheel),5(operator) % ls -l /macpool
> > > > ls: /macpool: Permission denied
> > > > % cd /macpool
> > > > /macpool: Permission denied.
> > > >
> > > > Is this a bug, or is there some way to get access to /macpool
> > > > as an ordinary user?
> > > >
> > > > The pool was created under version zfs-119 of the Mac OS X
> > > > port; the FreeBSD version is:
> > > >
> > > > root:~-122# uname -a
> > > > FreeBSD xxxx 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sat Aug 2
> > > > 14:19:33 EEST 2008 root at xxxx:/usr/obj/usr/src/sys/MACBOOK
> > > > amd64
> > > >
> > > > with the latest zfs patch, but the problem was also present
> > > > before applying the patch.
> > >
> > > As root, what does "zfs get all macpool" return on FreeBSD?
> >
> > root@:~-116# zfs get all macpool
> > NAME PROPERTY VALUE SOURCE
> > macpool type filesystem -
> > macpool creation ?? ??? 7 16:31 2008 -
> > macpool used 474K -
> > macpool available 6,83G -
> > macpool referenced 308K -
> > macpool compressratio 1.00x -
> > macpool mounted yes -
> > macpool quota none default
> > macpool reservation none default
> > macpool recordsize 128K default
> > macpool mountpoint /macpool default
> > macpool sharenfs off default
> > macpool checksum on default
> > macpool compression off default
> > macpool atime on default
> > macpool devices on default
> > macpool exec on default
> > macpool setuid on default
> > macpool readonly off default
> > macpool jailed off default
> > macpool snapdir hidden default
> > macpool aclmode groupmask default
> > macpool aclinherit restricted default
> > macpool canmount on default
> > macpool shareiscsi off default
> > macpool xattr off temporary
> > macpool copies 1 default
> > macpool version 1 -
> > macpool utf8only off -
> > macpool normalization none -
> > macpool casesensitivity sensitive -
> > macpool vscan off default
> > macpool nbmand off default
> > macpool sharesmb off default
> > macpool refquota none default
> > macpool refreservation none default
>
> It's interesting to note that your filesystem has a significantly
> larger number of properties returned than mine. I wonder if the
> ZFS code has support for those properties on FreeBSD, but they
> simply aren't listed. Or maybe the patch you're using adds all of
> them? I don't know.
>
The extra properties appeared after applying the ZFS patches. The
newer versions of zfs and zpool exhibit more poperties than zpool
version 6 and zfs version 1:
% zpool upgrade -v
This system is currently running ZFS pool version 11.
The following versions are supported:
VER DESCRIPTION
--- --------------------------------------------------------
1 Initial ZFS version
2 Ditto blocks (replicated metadata)
3 Hot spares and double parity RAID-Z
4 zpool history
5 Compression using the gzip algorithm
6 bootfs pool property
7 Separate intent log devices
8 Delegated administration
9 refquota and refreservation properties
10 Cache devices
11 Improved scrub performance
For more information on a particular version, including supported
releases, see:
http://www.opensolaris.org/os/community/zfs/version/N
Where 'N' is the version number.
% zfs upgrade -v
The following filesystem versions are supported:
VER DESCRIPTION
--- --------------------------------------------------------
1 Initial ZFS filesystem version
2 Enhanced directory entries
3 Case insensitive and File system unique identifer (FUID)
For more information on a particular version, including supported
releases, see:
http://www.opensolaris.org/os/community/zfs/version/zpl/N
Where 'N' is the version number.
> Anyway, the property that may be relevant is aclinherit. The
> zfs(1) manpage on FreeBSD makes no mention of what "restricted"
> means for property "aclinherit". I believe it may be the source of
> the problem.
This property has different values under FreeBSD and Mac OS X. It is
shown as "secure" in Mac OS X:
sh-3.2# zfs get aclinherit macpool
NAME PROPERTY VALUE SOURCE
macpool aclinherit secure default
It is not possible to change the value inder FreeBSD:
root@:/-112# zfs set aclinherit=discard macpool
property 'aclinherit' not supported on FreeBSD: permission denied
I set the value under Mac OS X to "discard" but the change did not
seem to make any difference.
>
> A ZFS filesystem made on FreeBSD has a different value for that
> property. I explicitly enabled compression on the below fs, BTW,
> which is why that value is not the default value:
>
> NAME PROPERTY VALUE SOURCE
> storage type filesystem -
> storage creation Sun May 25 19:33 2008 -
> storage used 183G -
> storage available 730G -
> storage referenced 183G -
> storage compressratio 1.02x -
> storage mounted yes -
> storage quota none default
> storage reservation none default
> storage recordsize 128K default
> storage mountpoint /storage default
> storage sharenfs off default
> storage checksum on default
> storage compression on local
> storage atime off local
> storage devices on default
> storage exec on default
> storage setuid on default
> storage readonly off default
> storage jailed off default
> storage snapdir hidden default
> storage aclmode groupmask default
> storage aclinherit secure default
> storage canmount on default
> storage shareiscsi off default
> storage xattr off temporary
> storage copies 1 default
It is also possible to import a pool created under FreeBSD to Mac OS X
but whenever I write to the pool in Mac OS X and then try to read the
entries in FreeBSD, I encounter the same problem: the entries created
under Mac OS X are accessible by the root user only.
I also noticed that all entries in a FreeBSD pool acquired ACL's in
Mac OS X. For example the etc directory of FreeBSD has the following
ACL in MAC OS X:
sh-3.2# ls -lde etc
drwxr-xr-x+ 19 root wheel 122 7 Авг 18:39 etc
0: group:nogroup deny
This ACL looks suspicious to me though when I compare it to the ACL's
on the Mac OS X hfs+ volume:
sh-3.2# ls -lde /Applications
drwxrwxr-x+ 49 root admin 1666 6 Авг 21:27 /Applications
0: group:everyone deny delete
Can the problem be related to the fact that I run the AMD 64 version
of FreeBSD?
Thanks,
Boris Kotzev
More information about the freebsd-fs
mailing list