ethan gunword wrote:
we give the right to add folder to user foo.(this user can not delete anything
as a default) After that we give the right create file.And then user foo gains
delete everthing. How come is it possible.
Even though we add another rule like "0:user:foo:delete_child/delete:deny".
Again it does not work . Why please somebody answer this strange situation.
we need get answer as a result: user can create file, folder but not delete.
this is it.
ps: we tried it on ntfs (windows 2003) and hfs+ (apple macosx) fs type.
thanks
bash-3.00# zpool create tank c0d0s7
bash-3.00# zfs create tank/fs
bash-3.00# cd /tank/fs
bash-3.00# mkdir test
useradd foo
passwd foo
bash-3.00# chmod A+user:foo:add_file/add_subdirectory:allow test
bash-3.00# chmod A+user:foo:delete_child/delete:deny test
bash-3.00# ls -v
total 3
drwxr-xr-x+ 3 root root 4 Aug 18 15:30 test
0:user:foo:delete_child/delete:deny
1:user:foo:add_file/write_data/add_subdirectory/append_data:allow
2:owner@::deny
3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Delete permissions are kind of complicated. The recommended NFSv4
enforcement for the ability to delete an object is based on the
following chart:
-------------------------------------------------------
| Parent Dir | Target Object Permissions |
| permissions | |
-------------------------------------------------------
| | ACL Allows | ACL Denies| Delete |
| | Delete | Delete | unspecified|
-------------------------------------------------------
| ACL Allows | Permit | Permit | Permit |
| DELETE_CHILD | |
-------------------------------------------------------
| ACL Denies | Permit | Deny | Deny |
| DELETE_CHILD | | | |
-------------------------------------------------------
| ACL specifies | | | |
| only allow | Permit | Permit | Permit |
| write and | | | |
| execute | | | |
-------------------------------------------------------
| ACL denies | | | |
| write and | Permit | Deny | Deny |
| execute | | | |
-------------------------------------------------------
This should mean that you are denied delete permission based on row two
of the chart. Unfortunately, the code proceeds on and then finds
write/execute on the directory. You picked up write when you added
add_file to the ACL. Once we find write/execute on the directory we are
then on row 3 and access is granted.
I have opened bug 6461609 to address this problem. thanks for finding
the problem.
-Mark
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
