Thomas Fili wrote:
Hi @all,
with ZFS its recommended to create a new filesystem, for example for each user
to give them a home directory.
So far, so good. The homes should be under tank/export/home/staff and my
intention is to restrict the ACL rights so only the user self can access his
own home directory.
I study the ZFS Admin Guide and found the aclmode and aclinherit options, IMHO
for my intention the following configuration fits my wishes / needs.
zfs set aclmode=discard tank/export/home/staff
zfs set aclinherit=passthrough-x tank/export/home/staff
Now i set the ACLs on these staff directory :
/bin/chmod A=owner@:rwxp---A-W-Cos:-------:allow /export/home/staff
/bin/chmod A1+owner@:rwxp---A-W-Cos:fdi----:allow /export/home/staff
/bin/chmod A2+group@:r-x---a-R-c--s:-------:allow /export/home/staff
/bin/chmod A3+everyone@:------a-R-c--s:fdi----:allow /export/home/staff
/bin/chmod A4+everyone@:------a-R-c--s:-------:allow /export/home/staff
Creating a "normal" directory resulting in expected mode:
mkdir /export/home/staff/userx
/bin/ls -Vd /export/home/staff/userx
drwx------+ 2 root root 2 Jun 22 09:27 /export/home/staff/userx
owner@:rwxp---A-W-Cos:fdi---I:allow
owner@:rwxp---A-W-Cos:------I:allow
everyone@:------a-R-c--s:fdi---I:allow
everyone@:------a-R-c--s:------I:allow
But when creating a new filesystem the ACL stay unchanged
zfs create tank/export/home/staff/usery
/bin/ls -Vd /export/home/staff/usery
drwxr-xr-x 2 root root 2 Jun 22 09:40 /export/home/staff/usery
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
I played around with aclmode and aclinherit but creating a new zfs filesystem
always resulting in the same ACL.
Is this the intended behavior by the developers of ZFS ?
Currently no ACL inheritance takes place when a new file system is
created. Feel free to open an RFE for this.
Or is there any posibility to create a filesystem considering inherited ACLs ?
It would be possible with some restrictions. Such as we must be
inheriting the aclinherit/aclmode properties and the parent directory
must also be a ZFS file system and you must be using the default mount
point.
Thomas
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss