Mapping POSIX ACLs to NFSv4 ACLs for Samba storage

Prokofiev S.P. proks at skylinetele.com
Tue Oct 29 15:28:31 UTC 2013 

Thank you for your answer. Sorry for my delay, I was very busy.
In my opinion, if we don't take account of windows requirements of rule 
ordering, then draft  proposes more or less correct solution.
As for me there are two solutions of this problem.
The first, create ufs on zvol and move data there.
The second as you said as is a simple translation for my application, i. 
e. samba.
In my example the solution could be look like this (it's formal and for 
compatibility with Windows applications ) :

owner@:--------------:fd----:deny
user:10015:-w-p---A---C--:fd----:deny
user:10049:-w-p---A---C--:fd----:deny
user:10072:-------A---C--:fd----:deny
owner@:rwxpD-aA--cC-s:fd----:allow
user:10015:r-x---a---c--s:fd----:allow
user:10049:r-x---a---c--s:fd----:allow
user:10072:rwxpD-a---c--s:fd----:allow

group@:------a---c--s:fd----:allow
group:10008:rwxpD-a---c--s:fd----:allow
group:544:rwxpD-a---c--s:fd----:allow
group:10131:r-x---a---c--s:fd----:allow
  
everyone@:--------------:fd----:allow



The last rule is deny rule for other groups.
In common case  the solution is more complicated of course. We should 
take count into that the groups could have the same users and moreover 
users of user's list could be members of these groups. Therefore we 
couldn't place all of deny rules in front of allow rules as that require 
Windows applications.

On 12.10.2013 03:22, Rick Macklem wrote:
> Prokofiev S.P. wrote:
>> Hi all,
>>
>> I propose to talk about an issue. I have a task of moving data from
>> UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But
>> only
>> owner/owner_group is saved. I've written a Perl script to translate
>> POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it
>> (http://tools.ietf.org/html/draft-iet...acl-mapping-05
>> <http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05>) to
>> emulate
>> POSIX behaviour of permissions. I got something like that, for
>> instance:
>>
> It probably isn't of much help to you, but eventually the NFSv4
> working group realized that mapping between POSIX<->NFSv4 ACLs
> wasn't possible. Those drafts were just failed attempts.
>
> Also, if you are going to put all deny ACEs before all allow
> ACEs, then the deny ACEs must not specify anything that is
> allowed by the allow ACEs. (I suspect you already know, but
> the NFSv4 ACL is evaluated by testing each ACE in order and
> any match for a deny ACE denies access and any matching allow ACE
> allows access. As such, re-ordering ACEs in the ACL changes
> the ACL's semantics.)
>
> Good luck with this. I do not believe there is a correct solution
> in general, so all you can hope for is a simple translation
> that captures enough semantics for your application.
>
> rick
>
>> Source directory on UFS:
>> Code:
>>
>>> getfacl  /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
>> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
>> # owner: 10051
>> # group: 513
>> user::rwx
>> user:10015:r-x
>> user:10049:r-x
>> user:10072:rwx
>> group::---
>> group:544:rwx
>> group:10008:rwx
>> group:10131:r-x
>> mask::rwx
>> other::---
>>
>>> getfacl  -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
>> # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
>> # owner: 10051
>> # group: 513
>> user::rwx
>> user:10015:r-x
>> user:10049:r-x
>> user:10072:rwx
>> group::---
>> group:544:rwx
>> group:10008:rwx
>> group:10131:r-x
>> mask::rwx
>> other::---
>>
>> Target directory on ZFS:
>> Code:
>>
>> # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
>> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
>> # owner: 10051
>> # group: 513
>>                 owner@:--------------:fd----:deny
>>                 owner@:rwxpD-aA--cC-s:fd----:allow
>>           user:10015:-w-p---A---C--:fd----:deny
>>           user:10015:r-x---a---c--s:fd----:allow
>>           user:10049:-w-p---A---C--:fd----:deny
>>           user:10049:r-x---a---c--s:fd----:allow
>>           user:10072:-------A---C--:fd----:deny
>>           user:10072:rwxpD-a---c--s:fd----:allow
>>                 group@:------a---c--s:fd----:allow
>>        group:10008:rwxpD-a---c--s:fd----:allow
>>            group:544:rwxpD-a---c--s:fd----:allow
>>        group:10131:r-x---a---c--s:fd----:allow
>>                 group@:rwxp---A---C--:fd----:deny
>>        group:10008:-------A---C--:fd----:deny
>>            group:544:-------A---C--:fd----:deny
>>        group:10131:-w-p---A---C--:fd----:deny
>>           everyone@:rwxp---A---C--:fd----:deny
>>           everyone@:------a---c--s:fd----:allow
>>
>> I was happy, but Windows made me sad. When I tried to look at
>> permissions of a file or a directory with a Windows file browser I
>> had
>> warning about ordering of permissions. Then I tried to edit
>> permissions
>> and allowed reordering and got this result of that:
>>
>> Code:
>>
>> getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
>> # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
>> # owner: 10051
>> # group: 513
>>           user:10015:-w-pD--A---C--:fd----:deny
>>           user:10049:-w-pD--A---C--:fd----:deny
>>           user:10072:-------A---C--:fd----:deny
>>                 group@:rwxpD--A---C--:fd----:deny
>>        group:10008:-------A---C--:fd----:deny
>>             group:544:-------A---C--:fd----:deny
>>        group:10131:-w-pD--A---C--:fd----:deny
>>           everyone@:rwxpD--A---C--:fd----:deny    <<<<<<<<<
>>                owner@:rwxpD-aA--cC--:fd----:allow
>>          user:10015:r-x---a---c---:fd----:allow
>>          user:10049:r-x---a---c---:fd----:allow
>>          user:10072:rwxpD-a---c---:fd----:allow
>>                group@:------a---c---:fd----:allow
>>       group:10008:rwxpD-a---c---:fd----:allow
>>            group:544:rwxpD-a---c---:fd----:allow
>>        group:10131:r-x---a---c---:fd----:allow
>>            everyone@:------a---c---:fd----:allow
>>
>> But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny).
>> It's a mess. As it turned out according to
>> http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
>> <http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298%28v=vs.85%29.aspx>
>> it's a rule of ordering of Windows permissions.
>>
>> _______________________________________________
>> freebsd-fs at freebsd.org  mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> To unsubscribe, send any mail to"freebsd-fs-unsubscribe at freebsd.org"
>>


-- 
Prokofiev Sergiiproks at skylinetele.com
System and Network Administrator, PROK-RIPE
ISP Skyline Telecom
Odessa, Ukraine

More information about the freebsd-fs mailing list