ZFS ACL usage question

Andriy Gapon avg at icyb.net.ua
Tue Mar 9 15:28:40 UTC 2010 

I have a usage question on ZFS ACL.
Perhaps it's something trivial that should have been asked on questions@,
apologies in that case.

Let's say for simplicity that I want some directory to be equally shared by two
users.  Both should have full access and new files created by one user should
still be fully accessible by the other.
I can't seem to be able to configure AСLs to get that.

Let's say the users are user1 and user2.
The original directory is owned by user1:
$ ls -ld ~/testdir
drwxrwxr-x+ 22 user1  group0  26  9 Mar 13:01 /home/user1/testdir

I then issue the following commands:
$ setfacl -b -m user:user1:rwxAWCo:fd:allow ~/testdir
$ setfacl -m user:user1::fd:deny ~/testdir
$ setfacl -m user:user2:rwxAWCo:fd:allow ~/testdir
$ setfacl -m user:user2::fd:deny ~/testdir
$ getfacl ~/testdir
# file: /home/user1/testdir
# owner: user1
# group: group0
        user:user2:--------------:fd----:deny
        user:user2:rwx----A-W-Co-:fd----:allow
          user:user1:--------------:fd----:deny
          user:user1:rwx----A-W-Co-:fd----:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:------:deny
            group@:rwxp----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

Then I create a new file as user1 like this (umask is set to 022):
$ touch ~/testdir/test
$ ls -ld ~/testdir/test
-rw-r--r--+ 1 user1  group0  0  9 Mar 13:01 /home/user1/testdir/test
$ getfacl ~/testdir/test
# file: /home/user1/testdir/test
# owner: user1
# group: group0
        user:user2:--------------:------:deny
        user:user2:-wx-----------:------:deny
        user:user2:rwx----A-W----:------:allow
          user:user1:--------------:------:deny
          user:user1:--x-----------:------:deny
          user:user1:rwx----A-W----:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow


So now there two deny entries for both users and one of them makes sure that user2
can not modify the file.
What am I doing wrong? :-)

-- 
Andriy Gapon

More information about the freebsd-fs mailing list