{"id":503,"date":"2011-08-27T01:56:31","date_gmt":"2011-08-27T01:56:31","guid":{"rendered":"http:\/\/poojanwagh.opalstacked.com\/techblog\/?p=503"},"modified":"2011-12-16T20:12:28","modified_gmt":"2011-12-16T20:12:28","slug":"zfs-nfsv4-acls-for-a-public-samba-share","status":"publish","type":"post","link":"https:\/\/tech.poojanblog.com\/blog\/un\/zfs-nfsv4-acls-for-a-public-samba-share\/","title":{"rendered":"ZFS \/ NFSv4 ACL’s for a public Samba share"},"content":{"rendered":"

I’ve finally taken the time to figure things out step-by-step. NFSv4 ACL’s, which are supported by ZFS on FreeBSD (and Solaris) are pretty cool. However, I’ve never really understand how they work. By taking the time to use the command-line, I’ve figured out what I think is a good approach for a public share–one where I store old Recorded TV shows.<\/p>\n

<\/p>\n

The end result is that the permissions look like this:<\/p>\n


\ngetfacl .
\n# file: .
\n# owner: nobody
\n# group: nogroup
\nuser:Poojan:—-D———:-d—-:allow
\nowner@:————–:——:deny
\nowner@:rwxp—A-W-Co-:——:allow
\ngroup@:-w-p———-:——:deny
\ngroup@:r-x———–:——:allow
\neveryone@:—-D–A-W-Co-:-d—-:deny
\neveryone@:rwxp–a-R-c–s:-d—-:allow
\n<\/code>
\nOr, in the more verbose format:
\n
\ngetfacl -v .
\n# file: .
\n# owner: nobody
\n# group: nogroup
\nuser:Poojan:delete_child:dir_inherit:allow
\nowner@:::deny
\nowner@:read_data\/write_data\/execute\/append_data\/write_attributes\/write_xattr\/write_acl\/write_owner::allow
\ngroup@:write_data\/append_data::deny
\ngroup@:read_data\/execute::allow
\neveryone@:delete_child\/write_attributes\/write_xattr\/write_acl\/write_owner:dir_inherit:deny
\neveryone@:read_data\/write_data\/execute\/append_data\/read_attributes\/read_xattr\/read_acl\/synchronize:dir_inherit:allow
\n<\/code><\/p>\n

I started by removing all entries to their default, and I took some good advice and simply outputed the result of getfacl . to a text file:<\/p>\n
\nsetfacl -b .
\ngetfacl . > my_new_acls
\n<\/code>\n

I then could then edit the my_new_acls<\/code> file to get them where I wanted to with vim, and then do a<\/p>\n
\nsetfacl -M my_new_acls .
\n<\/code>\n

which would read them in and set the current directory’s ACL’s to my new edits. As I’ve said before<\/a>, I’ve created a samba_guest<\/code> user and made nobody<\/code> the owner of my directory.<\/p>\n

I could<\/em> add permissions under the samba_guest<\/code> directory, but I decided to use the NFSv4 moniker everyone@<\/code> instead. That covers myself, too. What I want is for everyone in my household to be able to add files to the directory, but not do any damage (delete files). From the vanilla ACL set, everyone@<\/code> can append, so that was already taken care of. I found this post, with its NFSv4 ACL legend<\/a> to be very useful.
\n
\n# file: .
\n# owner: nobody
\n# group: nogroup
\n owner@:::deny
\n owner@:read_data\/write_data\/execute\/append_data\/write_attributes\/write_xattr\/write_acl\/write_owner::allow
\n group@:write_data\/append_data::deny
\n group@:read_data\/execute::allow
\n everyone@:write_attributes\/write_xattr\/write_acl\/write_owner::deny
\n everyone@:read_data\/write_data\/execute\/append_data\/read_attributes\/read_xattr\/read_acl\/synchronize::allow
\n<\/code>
\nThe append_data setting on the directory allows new files to be created. However, the problem is that everyone@<\/code> can also remove (delete) files from the directory. Turns out, there’s a separate flag for deleting: delete_chid<\/code>. I just had to deny<\/code> that for everyone@<\/code>; to be safe, I also put write_data<\/code> in the everyone@<\/code> deny list:
\n
\n owner@:::deny
\n owner@:read_data\/write_data\/execute\/append_data\/write_attributes\/write_xattr\/write_acl\/write_owner::allow
\n group@:write_data\/append_data::deny
\n group@:read_data\/execute::allow
\n everyone@:write_data\/delete_child\/write_attributes\/write_xattr\/write_acl\/write_owner::deny
\n everyone@:read_data\/execute\/append_data\/read_attributes\/read_xattr\/read_acl\/synchronize::allow
\n<\/code>
\nTurns out that write_data<\/code> was important:
\n
\nserver% touch foo.txt
\ntouch: foo.txt: Permission denied
\n<\/code>
\nLet’s add it back in:
\n
\n owner@:::deny
\n owner@:read_data\/write_data\/execute\/append_data\/write_attributes\/write_xattr\/write_acl\/write_owner::allow
\n group@:write_data\/append_data::deny
\n group@:read_data\/execute::allow
\n everyone@:delete_child\/write_attributes\/write_xattr\/write_acl\/write_owner::deny
\n everyone@:write_data\/read_data\/execute\/append_data\/read_attributes\/read_xattr\/read_acl\/synchronize::allow
\n<\/code>
\nWorks:
\n
\nserver% touch foo.txt
\nserver% ls -l foo.txt
\n-rw-r–r– 1 my_username nogroup 0 Aug 26 20:51 foo.txt
\nserver% rm foo.txt
\nrm: foo.txt: Operation not permitted
\n<\/code><\/p>\n

OK: so now everyone@<\/code> can create files, but can’t delete them. Except I have a cron<\/code> job that runs under my user to expire out old shows. So, I need to add in the delete_child<\/code> flag for myself so I can do that:
\n
\n# file: .
\n# owner: nobody
\n# group: nogroup
\n user:my_username:delete_child::allow
\n owner@:::deny
\n owner@:read_data\/write_data\/execute\/append_data\/write_attributes\/write_xattr\/write_acl\/write_owner::allow
\n group@:write_data\/append_data::deny
\n group@:read_data\/execute::allow
\n everyone@:delete_child\/write_attributes\/write_xattr\/write_acl\/write_owner::deny
\n everyone@:write_data\/read_data\/execute\/append_data\/read_attributes\/read_xattr\/read_acl\/synchronize::allow
\n<\/code>
\nWorks:
\n
\nserver% rm foo.txt
\n<\/code>
\nThe last step was to make all these flags inheritable–in case someone creates a new directory underneath.
\n
\n# file: .
\n# owner: nobody
\n# group: nogroup
\n user:Poojan:delete_child:dir_inherit:allow
\n owner@:::deny
\n owner@:read_data\/write_data\/execute\/append_data\/write_attributes\/write_xattr\/write_acl\/write_owner::allow
\n group@:write_data\/append_data::deny
\n group@:read_data\/execute::allow
\n everyone@:delete_child\/write_attributes\/write_xattr\/write_acl\/write_owner:dir_inherit:deny
\n everyone@:read_data\/write_data\/execute\/append_data\/read_attributes\/read_xattr\/read_acl\/synchronize:dir_inherit:allow
\n<\/code><\/p>\n