[gpfsug-discuss] Unexpected permissions with ACLs

Talamo Ivano Giuseppe ivano.talamo at psi.ch
Thu Sep 14 14:25:09 BST 2023 

Hi all,

I am currently working with ACLs to find out a proper set that would fit our use case. And narrowing down I found out a very simple case that looks quite weird.

The use case is the following.
I create a directory with 2770 mode and root:p15875 ownership, without applying any explicit ACLs. The system returns this as the default ACLs generated by the permissions/mode:
#NFSv4 ACL
#owner:root
#group:p15875
special:owner@:rwxc:allow
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:group@:rwxc:allow
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:everyone@:----:allow
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

If I touch a new file inside that dir with a user that is a member of that group, it gets created with 644. So far so good.

Now if via mmeditacl I add the following entry to the ACL of the dir, new files get created with 000 permissions. The new entry is the following:

special:group@:rwx-:allow:DirInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

According to the manual, the DirInherit:InheritOnly should guarantee that the entry applies only to the new subdirectories but now it is also affecting new files in the main dir.
Is this an expected behavior?
The filesystem version is 5.1.5.0 and is configured with nfs4 ACLs only.

In general, am struggling a lot with the NFS4 ACLs and I also find the IBM documentation [1] quite poor in this context. So if someone can point me to better resources that would be very welcome.

Thanks,
Ivano

[1] https://www.ibm.com/docs/en/storage-scale/5.0.2?topic=administration-nfs-v4-acl-syntax



__________________________________________
Paul Scherrer Institut
Ivano Talamo
WHGA/038
Forschungsstrasse 111
5232 Villigen PSI
Schweiz

Phone: +41 56 310 47 11
E-Mail: ivano.talamo at psi.ch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230914/33fde846/attachment.htm>

More information about the gpfsug-discuss mailing list