<div dir="ltr"><div>I believe this ACL will achieve what you're trying to do... with POSIX permissions normally you would set 770 umask and a file create does not preserve execute by default, where a directory does. I have just now learned that with ACL's it does what you told it to do. So we have to recreate that behaviour by having a separate inheritance for both File and Directory. </div><div><br></div><div>The last bit, how to preserve the sticky bit, I couldn't quite figure out on a whim... but when I did a "chmod g+s .", the proper "DirInherit and FileInherit:InheritOnly" were added into the ACL... and things worked as expected.</div><div><br></div><font face="monospace">$ mmgetacl .<br>#NFSv4 ACL<br>#owner:someuser<br>#group:somegroup<br>special:owner@:rwxc:allow:DirInherit<br> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br> (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<br><br>special:owner@:rw-c:allow:FileInherit:InheritOnly<br> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br> (-)DELETE (X)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<br><br>special:group@:rwx-:allow:DirInherit<br> (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br> (X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED<br><br>special:group@:rw--:allow:FileInherit:InheritOnly<br> (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br> (X)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED<br><br>special:everyone@:----:allow:FileInherit:DirInherit<br> (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED<br> (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED</font><div><font face="monospace"><br></font></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 2, 2022 at 1:25 AM Jonathan Buzzard <<a href="mailto:jonathan.buzzard@strath.ac.uk" target="_blank">jonathan.buzzard@strath.ac.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote:<br>
<br>
> <br>
> Hi Everyone,<br>
> I'm trying implement some ACLs, however some of the documentation is a<br>
> bit unclear to me.<br>
> <br>
> Using<br>
><a href="https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists" rel="noreferrer" target="_blank">https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists</a><br>
> as a reference, I'm trying to understand what to use to achieve 0660<br>
> permissions on files and 2770 on directories.<br>
> <br>
<br>
It's not clear from this whether you are trying to achieve the <br>
equivalent of 0660 and 2770 on files and directories or have an ls show <br>
the permissions as 0660 and 2770.<br>
<br>
> So far, I've managed to achieve 0000 perms, but user with the ACL<br>
> permission can chmod, or 0770 perms.<br>
> <br>
<br>
Basically neither of the above two options is possible because there is <br>
no exact mapping between POSIX permissions and NFSv4 ACL's.<br>
<br>
For example you can't get the equivalent of the set group id permission. <br>
You can however put an inheritable ACL for a group on the directory that <br>
gives r/w plus say search directory and possibly execute permissions if <br>
you want those as well.<br>
<br>
A user with ACL permissions can change permissions that is completely <br>
expected. Note that traditional 2770 permissions are only suggestive, <br>
the file or member of the group would be able to change them to <br>
something else. In fact programs often do when you save, and Samba just <br>
completely ignores them for the most part. At least with NFSv4 ACL's you <br>
can remove the ACL permission :-)<br>
<br>
How permissions display on an ls/stat is not an exact mapping and will <br>
tend to go to something like 0000, but actual ability to access etc. the <br>
file will be based on the ACL not what you see in ls/stat.<br>
<br>
> Attached is a txt file with the mmgetacl output, as well as file<br>
> listing on a test file, and finally, the ACL definition I used.<br>
> <br>
> As one can see in the attachment, the ACL requested appears differently<br>
> for what it _actually_ applied.<br>
> <br>
<br>
What ACL schematics does the file system have? Is it NFSv4 or both?<br>
<br>
If you are wedded to POSIX style permissions perhaps change to POSIX ACL <br>
schematics on the file system?<br>
<br>
<br>
JAB.<br>
<br>
-- <br>
Jonathan A. Buzzard Tel: +44141-5483420<br>
HPC System Administrator, ARCHIE-WeSt.<br>
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG<br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer" target="_blank">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
</blockquote></div>