Re: [zfs-discuss] Creating ZFS filesystem with inherited ACLs ?

Mon, 22 Jun 2009 07:15:52 -0700 

Thomas Fili wrote:

Hi @all,

with ZFS its recommended to create a new filesystem, for example for each user 
to give them a home directory.

So far, so good. The homes should be under tank/export/home/staff and my 
intention is to restrict the ACL rights so only the user self can access his 
own home directory.

I study the ZFS Admin Guide and found the aclmode and aclinherit options, IMHO 
for my intention the following configuration fits my wishes / needs.

zfs set aclmode=discard   tank/export/home/staff
zfs set aclinherit=passthrough-x  tank/export/home/staff

Now i set the ACLs on these staff directory :

/bin/chmod  A=owner@:rwxp---A-W-Cos:-------:allow /export/home/staff
/bin/chmod  A1+owner@:rwxp---A-W-Cos:fdi----:allow /export/home/staff
/bin/chmod  A2+group@:r-x---a-R-c--s:-------:allow /export/home/staff
/bin/chmod  A3+everyone@:------a-R-c--s:fdi----:allow /export/home/staff
/bin/chmod  A4+everyone@:------a-R-c--s:-------:allow /export/home/staff
Creating a "normal" directory resulting in expected mode: 

mkdir /export/home/staff/userx

/bin/ls -Vd /export/home/staff/userx

drwx------+  2 root     root           2 Jun 22 09:27 /export/home/staff/userx
                 owner@:rwxp---A-W-Cos:fdi---I:allow
                 owner@:rwxp---A-W-Cos:------I:allow
              everyone@:------a-R-c--s:fdi---I:allow
              everyone@:------a-R-c--s:------I:allow
But when creating a new filesystem the ACL stay unchanged 
zfs create tank/export/home/staff/usery

/bin/ls -Vd /export/home/staff/usery

drwxr-xr-x   2 root     root           2 Jun 22 09:40 /export/home/staff/usery
                 owner@:--------------:-------:deny
                 owner@:rwxp---A-W-Co-:-------:allow
                 group@:-w-p----------:-------:deny
                 group@:r-x-----------:-------:allow
              everyone@:-w-p---A-W-Co-:-------:deny
              everyone@:r-x---a-R-c--s:-------:allow



I played around with aclmode and aclinherit but creating a new zfs filesystem 
always resulting in the same ACL.

Is this the intended behavior by the developers of ZFS ?
Currently no ACL inheritance takes place when a new file system is created. Feel free to open an RFE for this. 



Or is there any posibility to create a filesystem considering inherited ACLs ?
It would be possible with some restrictions. Such as we must be inheriting the aclinherit/aclmode properties and the parent directory must also be a ZFS file system and you must be using the default mount point. 




Thomas


_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Reply via email to