[gpfsug-discuss] NF4 ACLs

Alec anacreo at gmail.com
Fri Sep 2 10:27:06 BST 2022 

I believe this ACL will achieve what you're trying to do... with POSIX
permissions normally you would set 770 umask and a file create does not
preserve execute by default, where a directory does.  I have just now
learned that with ACL's it does what you told it to do.  So we have to
recreate that behaviour by having a separate inheritance for both File and
Directory.

The last bit, how to preserve the sticky bit, I couldn't quite figure out
on a whim... but when I did a "chmod g+s .", the proper "DirInherit and
FileInherit:InheritOnly" were added into the ACL... and things worked as
expected.

$ mmgetacl .
#NFSv4 ACL
#owner:someuser
#group:somegroup
special:owner@:rwxc:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL
(X)WRITE_ATTR (X)WRITE_NAMED

special:owner@:rw-c:allow:FileInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
 (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (-)EXEC/SEARCH (X)WRITE_ACL
(X)WRITE_ATTR (X)WRITE_NAMED

special:group@:rwx-:allow:DirInherit
 (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL
(-)WRITE_ATTR (-)WRITE_NAMED

special:group@:rw--:allow:FileInherit:InheritOnly
 (X)READ/LIST (X)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR  (X)READ_NAMED
 (X)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL
(-)WRITE_ATTR (-)WRITE_NAMED

special:everyone@:----:allow:FileInherit:DirInherit
 (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL
(-)READ_ATTR  (-)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-)WRITE_ACL
(-)WRITE_ATTR (-)WRITE_NAMED


On Fri, Sep 2, 2022 at 1:25 AM Jonathan Buzzard <
jonathan.buzzard at strath.ac.uk> wrote:

> On 01/09/2022 22:18, Taylor Joshua George (PSI) wrote:
>
> >
> > Hi Everyone,
> > I'm trying implement some ACLs, however some of the documentation is a
> > bit unclear to me.
> >
> > Using
>  >
> https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=administration-setting-nfs-v4-access-control-lists
> > as a reference, I'm trying to understand what to use to achieve 0660
> > permissions on files and 2770 on directories.
> >
>
> It's not clear from this whether you are trying to achieve the
> equivalent of 0660 and 2770 on files and directories or have an ls show
> the permissions as 0660 and 2770.
>
> > So far, I've managed to achieve 0000 perms, but user with the ACL
> > permission can chmod, or 0770 perms.
> >
>
> Basically neither of the above two options is possible because there is
> no exact mapping between POSIX permissions and NFSv4 ACL's.
>
> For example you can't get the equivalent of the set group id permission.
> You can however put an inheritable ACL for a group on the directory that
> gives r/w plus say search directory and possibly execute permissions if
> you want those as well.
>
> A user with ACL permissions can change permissions that is completely
> expected. Note that traditional 2770 permissions are only suggestive,
> the file or member of the group would be able to change them to
> something else. In fact programs often do when you save, and Samba just
> completely ignores them for the most part. At least with NFSv4 ACL's you
> can remove the ACL permission :-)
>
> How permissions display on an ls/stat is not an exact mapping and will
> tend to go to something like 0000, but actual ability to access etc. the
> file will be based on the ACL not what you see in ls/stat.
>
> > Attached is a txt file with the mmgetacl output, as well as file
> > listing on a test file, and finally, the ACL definition I used.
> >
> > As one can see in the attachment, the ACL requested appears differently
> > for what it _actually_ applied.
> >
>
> What ACL schematics does the file system have? Is it NFSv4 or both?
>
> If you are wedded to POSIX style permissions perhaps change to POSIX ACL
> schematics on the file system?
>
>
> JAB.
>
> --
> Jonathan A. Buzzard                         Tel: +44141-5483420
> HPC System Administrator, ARCHIE-WeSt.
> University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220902/25f38fe2/attachment-0002.htm>

More information about the gpfsug-discuss mailing list