NFS4 / ZFS: revert ACL to clean/inherited state

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Keiichi on Super User See other posts from Super User or by Keiichi
Published on 2011-01-11T18:31:58Z Indexed on 2011/01/11 18:55 UTC
Read the original article Hit count: 265

Filed under:
|
|

My problem is identical to this Windows question, but pertains NFS4 (Linux) and the underlying ZFS (OpenIndiana) we are using. We have this ZFS shared via NFS4 and CIFS for Linux and Windows users respectively. It would be nice for both user groups to benefit from ACLs, but the one missing puzzle piece goes thusly:

Each user has a home, where he sets a top-level, inherited ACL. He can later on refine permissions for the contained files/folders iteratively. Over time, sometimes permissions need to be generalized again to avoid increasing pollution of ACL entries. You can tweak the ACL of every single file if need be to obtain the wanted permissions, but that defeats the purpose of inherited ACLs. So, how can an ACL be completely cleared like in the question linked above?

I have found nothing about what a blank, inherited ACL should look like. This usecase simply does not seem to exist. In fact, the solaris chmod manpage clearly states

A-                            Removes all ACEs  for  current
                              ACL   on   file  and  replaces
                              current ACL with new ACL  that
                              represents  only  the  current
                              mode of the file.

I.e. we get three new ACL entries filled with stuff representing the permission bits, which is rather useless for cleaning up.

If I try to manually remove every ACE, on the last one I get

chmod A0- <file>
chmod: ERROR: Can't remove all ACL entries from a file

Which by the way makes me think: and why not? In fact, I really want the whole file-specific ACL gone.

The same holds for linux, which enumerates ACEs starting with 1(!), and verbalizes its woes less diligently

nfs4_setacl -x 1 <file>
Failed setxattr operation: Unknown error 524

So, what is the idea behind ACLs under Solaris/NFS? Can they never be cleaned up? Why does the recursion option for the ACL setting commands pollute all children instead of setting a single ACL and making the children inherit? Is this really the intention of the designers? I can clean up the ACLs using a windows client perfectly well, but am I supposed to tell the linux users they have to switch OS just to consolidate permissions?

© Super User or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about nfs

Related posts about acl

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle