ZFS deletes ACLs when root edits a file
Marc Peters
marc at mpeters.org
Wed Jun 13 14:23:14 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/12/2012 09:15 PM, Andrew Leonard wrote:
> On Tue, Jun 12, 2012 at 7:42 AM, Fabian Keil
> <freebsd-listen at fabiankeil.de> wrote:
>
>> Marc Peters <marc at mpeters.org> wrote:
>>
>>> i observed a strange behaviour when using ACLs on a ZFS
>>> filesystem. When a file has ACLs set and is edited by a user,
>>> the ACLs get lost when the file is edited and saved.
>>>
>>> How to repeat:
>>>
>>>> mount
>>> /dev/aacd0s1a on / (ufs, local) devfs on /dev (devfs, local,
>>> multilabel) /dev/aacd0s1d on /var (ufs, local, soft-updates)
>>> appdata on /appdata (zfs, local, nfsv4acls) /dev/md0 on
>>> /appdata/www/cache (ufs, local, soft-updates)
>>>
>>>> ls -al
>>> total 3 drwxr-xr-x 2 mpeters wheel 2 Jun 12 15:31 .
>>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 ..
>>>> touch test.file ls -al
>>> total 4 drwxr-xr-x 2 mpeters wheel 3 Jun 12 15:32 .
>>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. - -rw-r--r-- 1
>>> mpeters wheel 0 Jun 12 15:32 test.file
>>>> getfacl test.file
>>> # file: test.file # owner: mpeters # group: wheel
>>> owner@:rw-p--aARWcCos:------:allow
>>> group@:r-----a-R-c--s:------:allow
>>> everyone@:r-----a-R-c--s:------:allow
>>>> setfacl -m user:nobody:rwx::allow test.file ls -al
>>> total 4 drwxr-xr-x 2 mpeters wheel 3 Jun 12 15:32 .
>>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. - -rw-r--r--+ 1
>>> mpeters wheel 0 Jun 12 15:32 test.file
>>>> getfacl test.file
>>> # file: test.file # owner: mpeters # group: wheel
>>> user:nobody:rwx-----------:------:allow
>>> owner@:rw-p--aARWcCos:------:allow
>>> group@:r-----a-R-c--s:------:allow
>>> everyone@:r-----a-R-c--s:------:allow
>>>> vim test.file
>>> (do some editing here) "test.file" 2 lines, 12 characters
>>> written
>>>> ls -al
>>> total 4 drwxr-xr-x 2 mpeters wheel 3 Jun 12 15:35 .
>>> drwxr-xr-x 5 root wheel 5 Jun 12 15:29 .. - -rw-r--r--
>>> 1 mpeters wheel 12 Jun 12 15:35 test.file
>>>> getfacl test.file
>>> # file: test.file # owner: mpeters # group: wheel
>>> owner@:rw-p--aARWcCos:------:allow
>>> group@:r-----a-R-c--s:------:allow
>>> everyone@:r-----a-R-c--s:------:allow
>>>
>>> As you can see, the ACL for user nobody is gone.
>>>
>>> Is this behaviour intended?
>>
>> It is expected if vim replaced the original test.file with a
>> modified file with the same name, instead of actually editing the
>> original file directly.
>>
>> To confirm that this is happening you could truss vim or run "ls
>> -i test.file" before and after using vim (this is probably less
>> reliable, though).
>>
>> The ACLs shouldn't get lost if you really modify the original,
>> for example with:
>>
>> echo blafasel >> test.file
>
> Also, take a look at what you have the aclmode property set to on
> the ZFS file system. If you have it set to "discard" and if vim
> makes a chmod(2) call on the original file, then the ACL entries
> that do not represent the mode of the file will be discarded.
>
> -Andy
>
>> Fabian
Thank you Andrew and Fabian. As discussed a little off list, the
inheritance was the cuelprit, as already is stated in the FAQ:
FAQ
Q: Inheritance doesn't work the way I expect; access is denied while
it shouldn't be.
A: Set "aclmode=passthrough" and "aclinherit=passthrough" ZFS
properties. For UFS, you're out of luck, I'm afraid; there is no way
to change the behaviour there.
Sorry for the noise.
marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/YokYACgkQCnBgS+kUGEtHmQCfZdxsqM4kbdU8ug15/Kgs0wHf
/mQAnilUmxAPnJokeNKpUVHLXtJqp45O
=u3As
-----END PGP SIGNATURE-----
More information about the freebsd-fs
mailing list