I’ve finally taken the time to figure things out step-by-step. NFSv4 ACL’s, which are supported by ZFS on FreeBSD (and Solaris) are pretty cool. However, I’ve never really understand how they work. By taking the time to use the command-line, I’ve figured out what I think is a good approach for a public share–one where I store old Recorded TV shows.
The end result is that the permissions look like this:
getfacl .
# file: .
# owner: nobody
# group: nogroup
user:Poojan:—-D———:-d—-:allow
owner@:————–:——:deny
owner@:rwxp—A-W-Co-:——:allow
group@:-w-p———-:——:deny
group@:r-x———–:——:allow
everyone@:—-D–A-W-Co-:-d—-:deny
everyone@:rwxp–a-R-c–s:-d—-:allow
Or, in the more verbose format:
getfacl -v .
# file: .
# owner: nobody
# group: nogroup
user:Poojan:delete_child:dir_inherit:allow
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner:dir_inherit:deny
everyone@:read_data/write_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize:dir_inherit:allow
I started by removing all entries to their default, and I took some good advice and simply outputed the result of getfacl . to a text file:
setfacl -b .
getfacl . > my_new_acls
I then could then edit the my_new_acls file to get them where I wanted to with vim, and then do a
setfacl -M my_new_acls .
which would read them in and set the current directory’s ACL’s to my new edits. As I’ve said before, I’ve created a samba_guest user and made nobody the owner of my directory.
I could add permissions under the samba_guest directory, but I decided to use the NFSv4 moniker everyone@ instead. That covers myself, too. What I want is for everyone in my household to be able to add files to the directory, but not do any damage (delete files). From the vanilla ACL set, everyone@ can append, so that was already taken care of. I found this post, with its NFSv4 ACL legend to be very useful.
# file: .
# owner: nobody
# group: nogroup
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:read_data/write_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow
The append_data setting on the directory allows new files to be created. However, the problem is that everyone@ can also remove (delete) files from the directory. Turns out, there’s a separate flag for deleting: delete_chid. I just had to deny that for everyone@; to be safe, I also put write_data in the everyone@ deny list:
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:write_data/delete_child/write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:read_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow
Turns out that write_data was important:
server% touch foo.txt
touch: foo.txt: Permission denied
Let’s add it back in:
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:write_data/read_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow
Works:
server% touch foo.txt
server% ls -l foo.txt
-rw-r–r– 1 my_username nogroup 0 Aug 26 20:51 foo.txt
server% rm foo.txt
rm: foo.txt: Operation not permitted
OK: so now everyone@ can create files, but can’t delete them. Except I have a cron job that runs under my user to expire out old shows. So, I need to add in the delete_child flag for myself so I can do that:
# file: .
# owner: nobody
# group: nogroup
user:my_username:delete_child::allow
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner::deny
everyone@:write_data/read_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize::allow
Works:
server% rm foo.txt
The last step was to make all these flags inheritable–in case someone creates a new directory underneath.
# file: .
# owner: nobody
# group: nogroup
user:Poojan:delete_child:dir_inherit:allow
owner@:::deny
owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
group@:write_data/append_data::deny
group@:read_data/execute::allow
everyone@:delete_child/write_attributes/write_xattr/write_acl/write_owner:dir_inherit:deny
everyone@:read_data/write_data/execute/append_data/read_attributes/read_xattr/read_acl/synchronize:dir_inherit:allow
Post a Comment