<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" >Hallo Stephen,</div>
<div dir="ltr" > </div>
<div dir="ltr" >behavior ... or better to say ... predicted behavior for chmod and ACLs .. is not an easy thing or only , if you stay in either POSIX world or NFSv4 world</div>
<div dir="ltr" > </div>
<div dir="ltr" >to be POSIX compliant, a chmod overwrites ACLs</div>
<div dir="ltr" > </div>
<div dir="ltr" >GPFS was enhanced to ignore overwrites to ACLs on chmod by a parameter.. and I can't remember exactly when, but in your very old version (blink blink, please update) it shoud be already there... ... .. Then(later) it was even more enhanced to better mitigate between the world's ...</div>
<div dir="ltr" > </div>
<div dir="ltr" >You need to have in mind... in case you use kernelNFS ... the linux kernel NFS required a so called lossy mapping ... because at the time of writing the kernel-NFS, there was no linux file system available, supporting native NFSv4 ACLs... so there was no other way .. than "lossy" map NFSv4 ACLs into POSIX ACLs (long time ago) ...</div>
<div dir="ltr" > </div>
<div dir="ltr" >but as always.. everything in IT business has some history.. ;-)</div>
<div dir="ltr" > </div>
<div dir="ltr" >later in GPFS, we introduced, that you can fine grained allow behavior of chmod , NFSv4 ACLs, POSIX ACls or both .... -and - do that per file set level</div>
<div dir="ltr" > </div>
<div dir="ltr" ><span style="font-family:monospace" ><span style="font-weight:bold;color:#000000;background-color:#ffffff;" >--allow-permission-change</span><span style="color:#000000;background-color:#ffffff;" > </span><span style="font-weight:bold;color:#000000;background-color:#ffffff;" >PermissionChangeMode</span><span style="color:#000000;background-color:#ffffff;" > </span><br> Specifies the new permission change mode. This mode<br> controls how chmod and <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > operations are handled on </span><br> objects in the fileset. Valid modes are as follows:<br><br> <span style="font-weight:bold;color:#000000;background-color:#ffffff;" >chmodOnly</span><span style="color:#000000;background-color:#ffffff;" > </span><br> Specifies that only the UNIX change mode<br> operation (chmod) is allowed to change access<br> permissions (<span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > commands and API will not be </span><br> accepted).<br><br> <span style="font-weight:bold;color:#000000;background-color:#ffffff;" >setAclOnly</span><span style="color:#000000;background-color:#ffffff;" > </span><br> Specifies that permissions can be changed using<br> <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > commands and API only (chmod will not be </span><br> accepted).<br><br> <span style="font-weight:bold;color:#000000;background-color:#ffffff;" >chmodAndSetAcl</span><span style="color:#000000;background-color:#ffffff;" > </span><br> Specifies that chmod and <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > operations are </span><br> permitted. If the chmod command (or setattr<br> file operation) is issued, the result depends<br> on the type of <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > that was previously </span><br> controlling access to the object:<br><br> * If the object had a Posix <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" >, it will be </span><br> modified accordingly.<br><br> * If the object had an NFSv4 <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" >, it will be </span><br> replaced by the given UNIX mode bits.<br><br> <span style="font-weight:bold;color:#000000;background-color:#ffffff;" >Note:</span><span style="color:#000000;background-color:#ffffff;" > This is the default setting when a </span><br> fileset is created.<br><br> <span style="font-weight:bold;color:#000000;background-color:#ffffff;" >chmodAndUpdateAcl</span><span style="color:#000000;background-color:#ffffff;" > </span><br> Specifies that chmod and <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > operations are </span><br> permitted. If chmod is issued, the <span style="color:#ffffff;background-color:#000000;" >ACL</span><span style="color:#000000;background-color:#ffffff;" > will be </span><br> updated by privileges derived from UNIX mode<br> bits.</span><br><br> </div>
<div dir="ltr" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" ><div>hope this helps ..</div></div></div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: "Losen, Stephen C (scl)" <scl@virginia.edu><br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>Cc:<br>Subject: [EXTERNAL] [gpfsug-discuss] Using setfacl vs. mmputacl<br>Date: Mon, Mar 1, 2021 1:31 PM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >Hi folks,<br>Experimenting with POSIX ACLs on GPFS 4.2 and noticed that the Linux command setfacl clears "c" permissions that were set with mmputacl. So if I have this:<br><br>...<br>group:group1:rwxc<br>mask::rwxc<br>...<br><br>and I modify a different entry with:<br><br>setfacl -m group:group2:r-x dirname<br><br>then the "c" permissions above get cleared and I end up with<br>...<br>group:group1:rwx-<br>mask::rwx-<br>...<br><br>I discovered that chmod does not clear the "c" mode. Is there any filesystem option to change this behavior to leave "c" modes in place?<br><br>Steve Losen<br>Research Computing<br>University of Virginia<br>scl@virginia.edu 434-924-0640<br><br>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=QInBVUG2345zpTXGAPvczeXAfnCgUNXuJEI_-wZlDDs&m=Cb4nCNXx2mpY3MW5kuFoMZe8SsgXt-2_m6k7OMk50v8&s=FxuSoG7O3C3D-I-NblJA4tsPcsXlkF0JGTSormvlYiE&e=" target="_blank" >https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=QInBVUG2345zpTXGAPvczeXAfnCgUNXuJEI_-wZlDDs&m=Cb4nCNXx2mpY3MW5kuFoMZe8SsgXt-2_m6k7OMk50v8&s=FxuSoG7O3C3D-I-NblJA4tsPcsXlkF0JGTSormvlYiE&e=</a> </font><br> </div></blockquote>
<div dir="ltr" > </div></div><BR>