[OmniOS-discuss] nfsv4 acls wtf moment
Natxo Asenjo
natxo.asenjo at gmail.com
Thu May 16 16:10:27 EDT 2013
On Wed, May 15, 2013 at 11:47 PM, Paul B. Henson <henson at acm.org> wrote:
> On 5/12/2013 1:21 PM, Natxo Asenjo wrote:
>
> mm, when using scp it bypasses the acl as well ..., grrr.
>>
>
> Even with aclmode=restricted?
>
strangely enough, on one share yes, the other no. The difference is the
share root dir permissions
# /bin/ls -vd /tank/testshare/
drwxrwxrwx+ 10 root root 10 May 16 07:31 /tank/testshare/
0:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
# bin/ls -vd /tank/fotos/
d---------+289 root root 290 May 16 07:32 /tank/fotos/
0:user:username:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
on the /tank/fotos, when I scp as root the root umask sets extra aces, on
the /tank/testshare dir when I scp as root the ace is respected
root at zfstank:~# zfs get all tank/testshare | grep acl
tank/testshare aclmode restricted local
tank/testshare aclinherit passthrough local
root at zfstank:~# zfs get all tank/fotos | grep acl
tank/fotos aclmode restricted local
tank/fotos aclinherit passthrough local
$ scp -r dosbox/ root at zfstank:/tank/testshare/testdir
# /bin/ls -vd /tank/testshare/testdir/
drwxrwxrwx+ 4 root root 5 May 16 22:03
/tank/testshare/testdir/
0:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit
/inherited:allow
$ scp -r dosbox/ root at zfstank:/tank/fotos/testdir
# /bin/ls -vd /tank/fotos/testdir
drwxr-xr-x+ 4 root root 5 May 16 22:03 /tank/fotos/testdir/
0:user:username:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit
/inherited:allow
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/read_attributes
/write_attributes/read_acl/write_acl/write_owner/synchronize:allow
2:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
strange. I am going to open a bug with redhat to see if they can get to fix
coreutils and the ssh client to respect nfsv4 aces instead of bypassing the
stuff. We'll see.
--
groet,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20130516/180fd199/attachment.html>
More information about the OmniOS-discuss
mailing list