[Acl-Devel] NFSv4 default ACL
Andreas Gruenbacher
agruen at suse.de
Thu Aug 31 04:33:55 CEST 2006
On Wednesday 30 August 2006 23:47, Andre Roth wrote:
> Thank you for your quick reply, Andreas :-)
>
> > Are you sure you are using NFSv4 and not NFSv3?
>
> yes:
> 10.0.0.2:/vol/vol1 on /data type nfs4 (rw,addr=10.0.0.2)
Okay ... just wanted to double check ;)
> > In general, POSIX and NFSv4 ACLs do not interact very well. The NFSv4
> > patches against libacl which make getfacl and setfacl emulate NFSv4
> > ACLs are not in the upstream version, and never will be. Instead,
> > we'll likely have tools that can manipulate NFSv4 ACLs directly.
> > Apparently Gentoo still took the CITI libacl patches.
>
> is such a client available ? if not, are the CITI patches meant to be
> used until something is available ?
There's some simple CITI tool, and http://www.suse.de/~agruen/nfs4acl/ has a
user-space tool that is based on a slightly different attribute format. If
all goes well, we'll converge at some point...
> > > Setting default ACL's removes the normal ACL:
> > >
> > > joe at server ~ $ setfacl -d -m u:alice:rwx test/
> > > joe at server ~ $ ls -l
> > > total 4
> > > drw xr-xr-x 2 joe Staff 4096 Aug 30 14:13 test
> > > joe at server ~ $ getfacl test
> > > # file: test
> > > # owner: joe
> > > # group: Staff
> > >
> > > default:user::rwx
> > > default:user:alice:rwx
> > > default:group::r-x
> > > default:mask::rwx
> > > default:other::r-x
> >
> > That's a bug: a file cannot not have an ACL; there should at least be
> > user::, group::, and other:: entries.
>
> it's a directory, test/
There is an empty line before the default ACL. Instead, there should be at
least three (access) ACL entries (user::xxx, group::xxx, other::xxx), and
those are not there.
> getfacl always writes # file:
> > > Setting Unix permissions removes all ACLs:
> > >
> > > joe at server ~ $ chmod 700 test
> > > joe at server ~ $ getfacl test
> > > # file: test
> > > # owner: joe
> > > # group: Staff
> > > user::rwx
> > > group::---
> > > other::---
> > >
> > > joe at server ~ $ ls -l
> > > total 4
> > > drwx------ 2 joe Staff 4096 Aug 30 14:13 test
> >
> > That's probably by design (but I wouldn't call it expected behavior).
>
> it shouldn't be a problem, I hope when a file is created, umask is
> applied and the the default ACL's will be set. And I hope this will
> work on NFSv4 as well :)
This would be inconsistent with the chmod behavior then, but who knows -- the
interaction between ACLs and file modes in current implementations is very
"interesting". You can never really be sure what will happen.
> > > Interesting as well is this behavior:
> > >
> > > joe at server ~ $ mkdir test
> > > joe at server ~ $ chmod 700 test
> > > joe at server ~ $ setfacl -m u:alice:rwx test/
> > > joe at server ~ $ setfacl -d -m u:alice:rwx test/
> > > joe at server ~ $ ls -l
> > > total 4
> > > drwx------ 2 joe Staff 4096 Aug 30 14:29 test
> > > joe at server ~ $ getfacl test
> > > # file: test
> > > # owner: joe
> > > # group: Staff
> > >
> > > default:user::rwx
> > > default:user:alice:rwx
> > > default:group::---
> > > default:mask::rwx
> > > default:other::---
> > >
> > > joe at server ~ $ ls -l
> > > total 4
> > > d--------- 2 joe Staff 4096 Aug 30 14:29 test
> >
> > Huh? Getfacl modifies the file mode?
>
> yep... can anyone reproduce this ?
I've never seen that before.
Andreas
More information about the acl-devel
mailing list