Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#73 Map ZFS ACLs to UNIX mode

None
closed
nobody
None
5
2015-02-01
2013-02-28
Ralph Böhme
No

Setup

Nexenta CIFS services and Netatalk 3 for sharing the same dataset

Details

Nexenta employs a permission scheme where user permissions are completely modeled with ACLs and the UNIX mode of files is set to 0000.
When accessing such files with Netatalk, Netatalk maps the files ACL to the UARights permission struct and returns this effective permissions to the AFP client. The Finder on the client uses this permission structure for adjusting it's view on effective permission, but the UNIX mode is still 0000.
As a result, while it would be possible for the AFP client to read and write to file on the server, copying the file to the client, the ACL is lost and the file has a UNIX mode of 0000.

Example

On the server:

$ id -a
uid=100(ralph) gid=10(staff) groups=10(staff),3(sys),102(netatalk)

$ ls -lV myfile.txt 
----------+  1 ralph    root          33 Feb 17 09:55 myfile.txt
         group:netatalk:rw------RW----:-------:allow
                 owner@:------aARWcCos:-------:allow
                 group@:------a-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow
$

On the client:

$ ls -l /Volumes/test/myfile.txt 
----------@ 1 ralph  staff  33 17 Feb 09:55 /Volumes/test/myfile.txt

Proposed Enhancement

Change global ACL option "map acl" to take the following options: "none", "rights" and "mode". The default is "rights".

none := no mapping, this resembles the previous false/no setting
rights := map ACLs to Finder UARights, this resembles the previous setting true/yes setting. This is the default.
mode := map ACLs to Finder UARights and UNIX mode

Code:
[ccfcf8a89cd12424585c2ed41d7465e9de5bad80]

With this change and with "mac acls = mode" in afp.conf the above files is shown as follows:

$ ls -l /Volumes/test/myfile.txt 
-rw-------@ 1 ralph  staff  33 17 Feb 09:55

The default behaviour will be slightly different for POSIX ACLs, but unchanged for ZFS ACLs: ACLs only affect the special UARights structure, but not the UNIX mode. This is effectively the same behaviour as OS X AFP server.

Otoh, in order to get usefull semantics with POSIX ACLs, we may have to modify the UNIX mode in order to reflect the POSIX ACL on the server in some way. This changeset would offer a configurable behaviour how POSIX ACLs will be mapped, by default the UNIX mode will be unaffected which may require the admin to set the "mac acls" to "mode" in order to get previous behaviour.

Summary:

Good:
- clean design
- ZFS ACL and POSIX ACL code behaving identically
- completely configurable behaviour

Bad:
- servers using POSIX ACLs may have to adjust config by adding "map acls = mode" to afp.conf

Related

Commit: [ccfcf8]

Discussion

  • Ralph Böhme
    Ralph Böhme
    2013-04-09

    • status: open --> closed