ZFS deletes ACLs when root edits a file

Fabian Keil freebsd-listen at fabiankeil.de
Tue Jun 12 14:45:46 UTC 2012 

Marc Peters <marc at mpeters.org> wrote:

> i observed a strange behaviour when using ACLs on a ZFS filesystem.
> When a file has ACLs set and is edited by a user, the ACLs get lost
> when the file is edited and saved.
> 
> How to repeat:
> 
> > mount
> /dev/aacd0s1a on / (ufs, local)
> devfs on /dev (devfs, local, multilabel)
> /dev/aacd0s1d on /var (ufs, local, soft-updates)
> appdata on /appdata (zfs, local, nfsv4acls)
> /dev/md0 on /appdata/www/cache (ufs, local, soft-updates)
> 
> > ls -al
> total 3
> drwxr-xr-x  2 mpeters  wheel  2 Jun 12 15:31 .
> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
> > touch test.file ls -al
> total 4
> drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 .
> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
> - -rw-r--r--  1 mpeters  wheel  0 Jun 12 15:32 test.file
> > getfacl test.file
> # file: test.file
> # owner: mpeters
> # group: wheel
>             owner@:rw-p--aARWcCos:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
> > setfacl -m user:nobody:rwx::allow test.file ls -al
> total 4
> drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 .
> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
> - -rw-r--r--+ 1 mpeters  wheel  0 Jun 12 15:32 test.file
> > getfacl test.file
> # file: test.file
> # owner: mpeters
> # group: wheel
>        user:nobody:rwx-----------:------:allow
>             owner@:rw-p--aARWcCos:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
> > vim test.file
> (do some editing here)
> "test.file" 2 lines, 12 characters written
> > ls -al
> total 4
> drwxr-xr-x  2 mpeters  wheel   3 Jun 12 15:35 .
> drwxr-xr-x  5 root     wheel   5 Jun 12 15:29 ..
> - -rw-r--r--  1 mpeters  wheel  12 Jun 12 15:35 test.file
> > getfacl test.file
> # file: test.file
> # owner: mpeters
> # group: wheel
>             owner@:rw-p--aARWcCos:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
> 
> As you can see, the ACL for user nobody is gone.
> 
> Is this behaviour intended?

It is expected if vim replaced the original test.file
with a modified file with the same name, instead of
actually editing the original file directly.

To confirm that this is happening you could truss
vim or run "ls -i test.file" before and after using
vim (this is probably less reliable, though).

The ACLs shouldn't get lost if you really modify the
original, for example with:

echo blafasel >> test.file

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20120612/7acda3ee/signature.pgp

More information about the freebsd-fs mailing list