[gpfsug-discuss] Unexpected permissions with ACLs

Christof Schmitt christof.schmitt at us.ibm.com
Thu Sep 14 17:02:00 BST 2023 

On Thu, 2023-09-14 at 13:25 +0000, Talamo Ivano Giuseppe wrote:
> #NFSv4 ACL
> #owner:root
> #group:p15875
> special:owner@:rwxc:allow
>  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE
> (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
>  (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH
> (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
> 
> special:group@:rwxc:allow
>  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE
> (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
>  (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH
> (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
> 
> special:everyone@:----:allow
>  (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE
> (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
>  (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-
> )WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
> 
> If I touch a new file inside that dir with a user that is a member of
> that group, it gets created with 644. So far so good.

Yes. The rule for the modebits is quite simple: The read/write/execute
permission bits from the special:owner,group,everyone entry map
to the modebits shown. Note that in this case, the modebits are just
a limited view of the actual ACL; there are more permission bits that
are not shown and there could be additional ACL entries that are
also not reflected in the modebits.

> Now if via mmeditacl I add the following entry to the ACL of the dir,
> new files get created with 000 permissions. The new entry is the
> following:
> 
> special:group@:rwx-:allow:DirInherit:InheritOnly
>  (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE
> (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
>  (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH
> (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
> 
> According to the manual, the DirInherit:InheritOnly should guarantee
> that the entry applies only to the new subdirectories but now it is
> also affecting new files in the main dir.
> Is this an expected behavior? 

From an ACL perspective, yes. "InheritOnly" indicates that this entry
does not grant any permissions on the directory. It is only copied
as an entry to new files or subdirectories created in this directory.
So if this is the only ACL entry, there are indeed no permissions on
this directory.

You can remove the "InheritOnly" bit, then this would also grant
permission on the directory. Or you can add another ACL entry that
grants permissions on the directory.


> The filesystem version is 5.1.5.0 and is configured with nfs4 ACLs
> only.

This behavior is pretty much independent from the Scale version, it
has been around for a long time.

> In general, am struggling a lot with the NFS4 ACLs and I also find
> the IBM documentation [1] quite poor in this context. So if someone
> can point me to better resources that would be very welcome.

Essentially there can be many entries in an ACL ("ACEs"). Each entry
grants permissions for the specified principal (or denies if it is a
DENY ACE, but that is less commonly used). On creating files or
subdirectories, the "inherit" flags specify which entries are copied
to the new file/subdirectory. That is the very short version, but
this could be probably documented in a better way.

Regards,

Christof

More information about the gpfsug-discuss mailing list