Skip to content

ZFS / NFSv4 ACL’s for a public Samba share

I’ve finally taken the time to figure things out step-by-step. NFSv4 ACL’s, which are supported by ZFS on FreeBSD (and Solaris) are pretty cool. However, I’ve never really understand how they work. By taking the time to use the command-line, I’ve figured out what I think is a good approach for a public share–one where I store old Recorded TV shows.

The end result is that the permissions look like this:


getfacl .
# file: .
# owner: nobody
# group: nogroup
user:Poojan:—-D———:-d—-:allow
owner@:————–:——:deny
owner@:rwxp—A-W-Co-:——:allow
group@:-w-p———-:——:deny
group@:r-x———–:——:allow
everyone@:—-D–A-W-Co-:-d—-:deny
everyone@:rwxp–a-R-c–s:-d—-:allow

Or, in the more verbose format:

getfacl -v .
# file: .
# owner: nobody
# group: nogroup
user:Poojan:delete_child:dir_inherit:allow
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner:dir_inherit:deny
everyone@:read_data/write_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize:dir_inherit:allow

I started by removing all entries to their default, and I took some good advice and simply outputed the result of getfacl . to a text file:


setfacl -b .
getfacl . > my_new_acls

I then could then edit the my_new_acls file to get them where I wanted to with vim, and then do a


setfacl -M my_new_acls .

which would read them in and set the current directory’s ACL’s to my new edits. As I’ve said before, I’ve created a samba_guest user and made nobody the owner of my directory.

I could add permissions under the samba_guest directory, but I decided to use the NFSv4 moniker everyone@ instead. That covers myself, too. What I want is for everyone in my household to be able to add files to the directory, but not do any damage (delete files). From the vanilla ACL set, everyone@ can append, so that was already taken care of. I found this post, with its NFSv4 ACL legend to be very useful.

# file: .
# owner: nobody
# group: nogroup
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:read_data/write_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow

The append_data setting on the directory allows new files to be created. However, the problem is that everyone@ can also remove (delete) files from the directory. Turns out, there’s a separate flag for deleting: delete_chid. I just had to deny that for everyone@; to be safe, I also put write_data in the everyone@ deny list:

owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:write_data/delete_child/write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:read_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow

Turns out that write_data was important:

server% touch foo.txt
touch: foo.txt: Permission denied

Let’s add it back in:

owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:write_data/read_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow

Works:

server% touch foo.txt
server% ls -l foo.txt
-rw-r–r– 1 my_username nogroup 0 Aug 26 20:51 foo.txt
server% rm foo.txt
rm: foo.txt: Operation not permitted

OK: so now everyone@ can create files, but can’t delete them. Except I have a cron job that runs under my user to expire out old shows. So, I need to add in the delete_child flag for myself so I can do that:

# file: .
# owner: nobody
# group: nogroup
user:my_username:delete_child::allow
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:write_data/read_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow

Works:

server% rm foo.txt

The last step was to make all these flags inheritable–in case someone creates a new directory underneath.

# file: .
# owner: nobody
# group: nogroup
user:Poojan:delete_child:dir_inherit:allow
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner:dir_inherit:deny
everyone@:read_data/write_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize:dir_inherit:allow

1 person likes this post.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*