<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body lang="EN-US" style="text-align:left; direction:ltr;">
<div>Yes. If there is one ACL entry that is inherited to a new file/directory, then only that inherited entry will be in the ACL of the new file/directory. The special case here is now that there is one inheritable entry, but that is flagged with DirInherit,
so it does not apply to new files.</div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Christof</div>
<div><br>
</div>
<div>On Thu, 2023-09-14 at 21:13 +0000, Losen, Stephen C (scl) wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;height:0px;max-height:0px;opacity:0;overflow:hidden;">
Hi, you have specified an inherited (inherit only) ACE in the parent directory’s ACL, so that disables umask. New files will only get whatever ACEs they inherit. Since the only inherited ACE pertains to directories and not files, a new file
</div>
<!-- Preheader Text : END --><!-- Email Banner : BEGIN -->
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;height:0px;max-height:0px;opacity:0;overflow:hidden;">
ZjQcmQRYFpfptBannerStart</div>
<!--[if ((ie)|(mso))]>
<table border="0" cellspacing="0" cellpadding="0" width="100%" style="padding: 16px 0px 16px 0px; direction: ltr" lang="en"><tr><td>
<table border="0" cellspacing="0" cellpadding="0" style="padding: 0px 10px 5px 6px; width: 100%; border-radius:4px; border-top:4px solid #90a4ae;background-color:#D0D8DC;"><tr><td valign="top">
<table align="left" border="0" cellspacing="0" cellpadding="0" style="padding: 4px 8px 4px 8px">
<tr><td style="color:#000000; font-family: 'Arial', sans-serif; font-weight:bold; font-size:14px; direction: ltr">
This Message Is From an External Sender
</td></tr>
<tr><td style="color:#000000; font-weight:normal; font-family: 'Arial', sans-serif; font-size:12px; direction: ltr">
This message came from outside your organization.
</td></tr>
</table>
<![if ie]><br clear="all"><![endif]>
<table align="right" border="0" cellspacing="0" cellpadding="0" style="padding: 4px 0px 4px 0px"><tr>
<td style="direction: ltr"> <a target="_blank" href="https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!2Y-vrJ9RxDnU-mYbFsElzTntwzTT-DfGSCnfv-QAUYaAOnlLm4fXFBf20DlV_V763N-syTtqyssyVlwdUuQ4A_i6JoPRMlLqcdY4sTzfjvU$" style="mso-padding-alt: 7.5px; padding: 7.5px; border-radius: 2px; border: 1.5px solid #666666; "><strong style="font-weight: normal; color: #000000; text-decoration: none; font-family: 'Arial', sans-serif; font-size:14px; line-height: 40px; "> Report Suspicious </strong></a> </td>
</tr></table>
</td></tr></table>
</td></tr></table>
<![endif]--><!--[if !((ie)|(mso))]-->
<div dir="ltr" lang="en" id="pfptBannerrlayzqe" style="all: revert !important; display:block !important; text-align: left !important; margin:16px 0px 16px 0px !important; padding:8px 16px 8px 16px !important; border-radius: 4px !important; min-width: 200px !important; background-color: #D0D8DC !important; background-color: #D0D8DC; border-top: 4px solid #90a4ae !important; border-top: 4px solid #90a4ae;">
<div id="pfptBannerrlayzqe" style="all: unset !important; float:left !important; display:block !important; margin: 0px 0px 1px 0px !important; max-width: 600px !important;">
<div id="pfptBannerrlayzqe" style="all: unset !important; display:block !important; visibility: visible !important; background-color: #D0D8DC !important; color:#000000 !important; color:#000000; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-weight:bold !important; font-weight:bold; font-size:14px !important; line-height:18px !important; line-height:18px">
This Message Is From an External Sender </div>
<div id="pfptBannerrlayzqe" style="all: unset !important; display:block !important; visibility: visible !important; background-color: #D0D8DC !important; color:#000000 !important; color:#000000; font-weight:normal; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-size:12px !important; line-height:18px !important; line-height:18px; margin-top:2px !important;">
This message came from outside your organization. </div>
</div>
<div id="pfptBannerrlayzqe" style="all: unset !important; float: right !important; display: block !important; display: block; margin: 0px 0px 0px 16px !important; text-align: right !important; width: fit-content !important;">
<a id="pfptBannerrlayzqe" href="https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!2Y-vrJ9RxDnU-mYbFsElzTntwzTT-DfGSCnfv-QAUYaAOnlLm4fXFBf20DlV_V763N-syTtqyssyVlwdUuQ4A_i6JoPRMlLqcdY4sTzfjvU$" style="all: unset !important; display: inline-block !important; text-decoration: none"><div class="pfptPrimaryButtonrlayzqe" style="display: inline-block !important; display: inline-block; visibility: visible !important; opacity: 1 !important; color: #000000 !important; color: #000000; font-family: 'Arial', sans-serif !important; font-family: 'Arial', sans-serif; font-size: 14px !important; font-weight: normal !important; text-decoration: none !important; border-radius: 2px !important; padding: 7.5px 16px !important; margin: 3px 0 3px 16px !important; white-space: nowrap !important; width: fit-content !important; border: 1px solid #666666">Report Suspicious </div></a></div>
<div style="clear: both !important; display: block !important; visibility: hidden !important; line-height: 0 !important; font-size: 0.01px !important; height: 0px">
</div>
</div>
<!--[endif]-->
<div style="display:none !important;display:none;visibility:hidden;mso-hide:all;font-size:1px;color:#ffffff;line-height:1px;height:0px;max-height:0px;opacity:0;overflow:hidden;">
ZjQcmQRYFpfptBannerEnd</div>
<!-- Email Banner : END --><!-- BaNnErBlUrFlE-BoDy-end --><!-- BaNnErBlUrFlE-HeAdEr-start --><style>
#pfptBannerrlayzqe { all: revert !important; display: block !important;
visibility: visible !important; opacity: 1 !important;
background-color: #D0D8DC !important;
max-width: none !important; max-height: none !important }
.pfptPrimaryButtonrlayzqe:hover, .pfptPrimaryButtonrlayzqe:focus {
background-color: #b4c1c7 !important; }
.pfptPrimaryButtonrlayzqe:active {
background-color: #90a4ae !important; }
</style><!-- BaNnErBlUrFlE-HeAdEr-end -->
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi, you have specified an inherited (inherit only) ACE in the parent directory’s ACL, so that disables umask. New files will only get whatever ACEs they inherit. Since the only inherited ACE pertains to directories and not files, a new
file inherits no ACEs, and hence ends up with zero permissions (which I suspect is no ACEs at all in its ACL).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So you need to specify some inherited ACEs for files as well as directories. Or else use FileInherit:DirInherit:InheritOnly<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If the parent directory has no inherited ACEs in its ACL then the permissions on new files/directories are controlled by umask.<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Steve Losen<o:p></o:p></p>
<p class="MsoNormal">Research Computing<o:p></o:p></p>
<p class="MsoNormal">University of Virginia<o:p></o:p></p>
<p class="MsoNormal"><a href="mailto:scl@virginia.edu"><span style="color:#0563C1">scl@virginia.edu</span></a> 434-924-0640<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">gpfsug-discuss <gpfsug-discuss-bounces@gpfsug.org> on behalf of Talamo Ivano Giuseppe <ivano.talamo@psi.ch><br>
<b>Reply-To: </b>gpfsug main discussion list <gpfsug-discuss@gpfsug.org><br>
<b>Date: </b>Thursday, September 14, 2023 at 3:19 PM<br>
<b>To: </b>"gpfsug-discuss@gpfsug.org" <gpfsug-discuss@gpfsug.org><br>
<b>Subject: </b>Re: [gpfsug-discuss] Unexpected permissions with ACLs<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="0" width="100%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> gpfsug-discuss <gpfsug-discuss-bounces@gpfsug.org> on behalf of Christof Schmitt <christof.schmitt@us.ibm.com><br>
<b>Sent:</b> 14 September 2023 18:02<br>
<b>To:</b> gpfsug-discuss@gpfsug.org <gpfsug-discuss@gpfsug.org><br>
<b>Subject:</b> Re: [gpfsug-discuss] Unexpected permissions with ACLs</span> <o:p>
</o:p></p>
<div>
<p class="MsoNormal"> > following:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">> <br>
> special:group@:rwx-:allow:DirInherit:InheritOnly<br>
> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE<br>
> (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br>
> (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH<br>
> (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<br>
> <br>
> According to the manual, the DirInherit:InheritOnly should guarantee<br>
> that the entry applies only to the new subdirectories but now it is<br>
> also affecting new files in the main dir.<br>
> Is this an expected behavior? <br>
<br>
From an ACL perspective, yes. "InheritOnly" indicates that this entry<br>
does not grant any permissions on the directory. It is only copied<br>
as an entry to new files or subdirectories created in this directory.<br>
So if this is the only ACL entry, there are indeed no permissions on<br>
this directory.<br>
<br>
You can remove the "InheritOnly" bit, then this would also grant<br>
permission on the directory. Or you can add another ACL entry that<br>
grants permissions on the directory.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I may have not been clear enough, but that ACE has only been added to the previous 3 ACEs, so the complete one for the directory is the following:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">#NFSv4 ACL <o:p></o:p></p>
<div>
<p class="MsoNormal">#owner:root<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">#group:p15875<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">special:owner@:rwxc:allow<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">special:group@:rwx-:allow<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">special:everyone@:----:allow<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">special:owner@:rwx-:allow:DirInherit:InheritOnly<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So I would expect that the first 3 would still produce a 644 mode on the file. Am I wrong?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ivano<o:p></o:p></p>
</div>
</div>
</div>
<pre>_______________________________________________</pre>
<pre>gpfsug-discuss mailing list</pre>
<pre>gpfsug-discuss at gpfsug.org</pre>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org"><pre>http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</pre></a>
<pre> </pre>
</blockquote>
</body>
</html>