8-stable ZFS ACL (NFSv4): Access disallowed when it should be by inheritance

Eugene M. Kim 20080111.freebsd.org at ab.ote.we.lv
Fri Apr 30 23:43:59 UTC 2010 

Greetings,

I am experimenting with NFSv4 ACLs on ZFS, and am baffled by the
following behavior:

--- BEGIN TRANSCRIPT ---
purple# uname -a
FreeBSD purple.the-7.net 8.0-STABLE FreeBSD 8.0-STABLE #1: Mon Mar 29
19:22:00 PDT 2010    
ab at purple.the-7.net:/home/FreeBSD/build/RELENG_8/obj/home/FreeBSD/build/RELENG_8/src/sys/PURPLE 
i386
purple# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
purple# ls -ld .
drwxr-xr-x  2 root  wheel  2 Apr 30 16:15 .
purple# getfacl .
# file: .
# owner: root
# group: wheel
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
purple# setfacl -a0 user:ab:rwxpRWcs:fi:allow .
purple# getfacl .
# file: .
# owner: root
# group: wheel
           user:ab:rwxp----RWc--s:f-i---:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
purple# touch root-f
purple# ls -ld root-f
-rw-r--r--+ 1 root  wheel  0 Apr 30 16:16 root-f
purple# getfacl root-f
# file: root-f
# owner: root
# group: wheel
           user:ab:-wxp----------:------:deny
           user:ab:rwxp----RWc--s:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow
purple# sudo -u ab cat root-f
purple# sudo -u ab touch root-f
touch: root-f: Permission denied
purple# sudo -u ab ./root-f
sudo: ./root-f: command not found
purple#
--- END TRANSCRIPT ---

The intention here is to allow read/write/append/execution of files
created under the current directory (root:wheel 0755).  However, as seen
in the third getfacl output, the ACL of the created file (root-f)
contains not just the inherited ACE (user:ab:rwxpRWcs::allow) but also
another ACE (user:ab:wxp::deny) before the inherited ACE, which causes
the touch(1) and execution of the created file to fail.

Why does this happen?

Regards,
Eugene

More information about the freebsd-fs mailing list