ZFS deletes ACLs when root edits a file

Marc Peters marc at mpeters.org
Wed Jun 13 14:23:14 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/12/2012 09:15 PM, Andrew Leonard wrote:
> On Tue, Jun 12, 2012 at 7:42 AM, Fabian Keil 
> <freebsd-listen at fabiankeil.de> wrote:
> 
>> Marc Peters <marc at mpeters.org> wrote:
>> 
>>> i observed a strange behaviour when using ACLs on a ZFS
>>> filesystem. When a file has ACLs set and is edited by a user,
>>> the ACLs get lost when the file is edited and saved.
>>> 
>>> How to repeat:
>>> 
>>>> mount
>>> /dev/aacd0s1a on / (ufs, local) devfs on /dev (devfs, local,
>>> multilabel) /dev/aacd0s1d on /var (ufs, local, soft-updates) 
>>> appdata on /appdata (zfs, local, nfsv4acls) /dev/md0 on
>>> /appdata/www/cache (ufs, local, soft-updates)
>>> 
>>>> ls -al
>>> total 3 drwxr-xr-x  2 mpeters  wheel  2 Jun 12 15:31 . 
>>> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
>>>> touch test.file ls -al
>>> total 4 drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 . 
>>> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 .. - -rw-r--r--  1
>>> mpeters  wheel  0 Jun 12 15:32 test.file
>>>> getfacl test.file
>>> # file: test.file # owner: mpeters # group: wheel 
>>> owner@:rw-p--aARWcCos:------:allow 
>>> group@:r-----a-R-c--s:------:allow 
>>> everyone@:r-----a-R-c--s:------:allow
>>>> setfacl -m user:nobody:rwx::allow test.file ls -al
>>> total 4 drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 . 
>>> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 .. - -rw-r--r--+ 1
>>> mpeters  wheel  0 Jun 12 15:32 test.file
>>>> getfacl test.file
>>> # file: test.file # owner: mpeters # group: wheel 
>>> user:nobody:rwx-----------:------:allow 
>>> owner@:rw-p--aARWcCos:------:allow 
>>> group@:r-----a-R-c--s:------:allow 
>>> everyone@:r-----a-R-c--s:------:allow
>>>> vim test.file
>>> (do some editing here) "test.file" 2 lines, 12 characters
>>> written
>>>> ls -al
>>> total 4 drwxr-xr-x  2 mpeters  wheel   3 Jun 12 15:35 . 
>>> drwxr-xr-x  5 root     wheel   5 Jun 12 15:29 .. - -rw-r--r--
>>> 1 mpeters  wheel  12 Jun 12 15:35 test.file
>>>> getfacl test.file
>>> # file: test.file # owner: mpeters # group: wheel 
>>> owner@:rw-p--aARWcCos:------:allow 
>>> group@:r-----a-R-c--s:------:allow 
>>> everyone@:r-----a-R-c--s:------:allow
>>> 
>>> As you can see, the ACL for user nobody is gone.
>>> 
>>> Is this behaviour intended?
>> 
>> It is expected if vim replaced the original test.file with a
>> modified file with the same name, instead of actually editing the
>> original file directly.
>> 
>> To confirm that this is happening you could truss vim or run "ls
>> -i test.file" before and after using vim (this is probably less
>> reliable, though).
>> 
>> The ACLs shouldn't get lost if you really modify the original,
>> for example with:
>> 
>> echo blafasel >> test.file
> 
> Also, take a look at what you have the aclmode property set to on
> the ZFS file system.  If you have it set to "discard" and if vim
> makes a chmod(2) call on the original file, then the ACL entries
> that do not represent the mode of the file will be discarded.
> 
> -Andy
> 
>> Fabian

Thank you Andrew and Fabian. As discussed a little off list, the
inheritance was the cuelprit, as already is stated in the FAQ:

FAQ

Q: Inheritance doesn't work the way I expect; access is denied while
it shouldn't be.

A: Set "aclmode=passthrough" and "aclinherit=passthrough" ZFS
properties. For UFS, you're out of luck, I'm afraid; there is no way
to change the behaviour there.

Sorry for the noise.

marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/YokYACgkQCnBgS+kUGEtHmQCfZdxsqM4kbdU8ug15/Kgs0wHf
/mQAnilUmxAPnJokeNKpUVHLXtJqp45O
=u3As
-----END PGP SIGNATURE-----

More information about the freebsd-fs mailing list