# Question about ACL under ZFS



## BarbeRousse (Jan 24, 2011)

Hello,

First my configuration.

   I am using ZFS with one raidz pool:

```
root# zpool list
NAME       SIZE   USED  AVAIL    CAP  HEALTH  ALTROOT
homeData  7.25T  2.74T  4.51T    37%  ONLINE  -
```
and four zfs filesystem:

```
root# zfs list
NAME                         USED  AVAIL  REFER  MOUNTPOINT
homeData                    2.06T  3.28T  2.02T  /homeData
homeData/A                  34.6G  3.28T  34.6G  /mountA
homeData/B                   758M  3.29T   758M  /mountB
homeData/testACL2           44.1K  3.28T  44.1K  /homeData/testACL2
```

We will focus on "/homeData" and "/homeData/testACL2".
ZFS property for ACL is set as show bellow:

```
NAME               PROPERTY    VALUE              SOURCE
homeData           aclinherit  discard            local
homeData           aclmode     discard            local
homeData/testACL2  aclinherit  passthrough        local
homeData/testACL2  aclmode     passthrough        local
```

Here ACL for "homeData" (default):

```
# file: /homeData/
# owner: root
# group: wheel
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
```

and here for "testACL2" (custom):

```
# file: /homeData/testACL2/
# owner: root
# group: wheel
            owner@:--------------:fd----:deny
            owner@:rwxp---A-W-Co-:fd----:allow
            group@:--------------:fd----:deny
            group@:rwxp----------:fd----:allow
         everyone@:rwxpDdaARWcCos:fd----:deny
```

Ok, now the question.
If I create a directory under the "/homeData/testACL2" like this:

```
root# mkdir /homeData/testACL2/dir1
```
ACL's are as expected:

```
# file: /homeData/testACL2/dir1/
# owner: root
# group: wheel
            owner@:--------------:fdi---:deny
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:fdi---:allow
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:fdi---:deny
            group@:--------------:------:deny
            group@:rwxp----------:fdi---:allow
            group@:rwxp----------:------:allow
         everyone@:rwxpDdaARWcCos:fdi---:deny
         everyone@:rwxpDdaARWcCos:------:deny
```

That's great.
I have created an other directory in an UFS system without "acl" property and then moved it under the ZFS "testACL2" file system.

```
root# mkdir /tmp/dir2
root# mv /tmp/dir2 /homeData/testACL2/
```

The problem is here, ACL's aren't as expected to be:

```
# file: /homeData/testACL2/dir3
# owner: root
# group: wheel
            [color="SeaGreen"]owner@:--------------:fdi---:deny
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:fdi---:allow[/color]
            [color="Blue"]owner@:-------A-W-Co-:------:allow[/color]
            [color="SeaGreen"]group@:--------------:fdi---:deny
            group@:--------------:------:deny
            group@:rwxp----------:fdi---:allow[/color]
            [color="Blue"]group@:--------------:------:allow[/color]
         [color="SeaGreen"]everyone@:rwxpDdaARWcCos:fdi---:deny[/color]
         [color="Blue"]everyone@:----DdaARWcCos:------:deny[/color]
            [color="Red"]owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow[/color]
```

It seems to be a mixt of homeData, testACL2 and ohter.

It seems that the three ACL in blue are the same as the one just upper (in green) but without the four first bit (rwxp).

Is this normal ? How to avoid that behavior ?
Each file or directory moved from one place to an other one will get "wrong" ACL.
I will have to modify each one by and.

Thank you.

Bests regards,


----------



## phoenix (Jan 24, 2011)

Have a read through the zfs() man page, especially the parts about *aclmod* and *aclinherit* properties.


----------



## BarbeRousse (Jan 25, 2011)

Hello phoenix,

I think this part of *aclinherit* is interesting :

```
When the property value is set to "passthrough," files are created
with a mode determined by the inheritable ACEs. If  no  inheritable
ACEs exist that affect the mode, then the mode is set in accordance
to the requested mode from the application.
```

It don't change anything, I don't know why.
I must miss a trick.

All bit mode are specified for *owner@*, *group@* and *everyone@* in either *allow* and *deny*.

Here new ACL of parent directory :

```
# file: /testACL2/
# owner: root
# group: wheel
            owner@:-------------s:------:deny
            owner@:rwxpDdaARWcCo-:------:allow
            owner@:-------------s:fd----:deny
            owner@:rwxpDdaARWcCo-:fd----:allow
            group@:-------------s:------:deny
            group@:rwxpDdaARWcCo-:------:allow
            group@:-------------s:fd----:deny
            group@:rwxpDdaARWcCo-:fd----:allow
         everyone@:-w-pDd-A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
         everyone@:-w-pDd-A-W-Co-:fd----:deny
         everyone@:r-x---a-R-c--s:fd----:allow
```

Now about dir1 :

```
root# mkdir /testACL2/dir1
root# getfacl /testACL2/dir1
# file: /testACL2/dir1
# owner: root
# group: wheel
            owner@:-------------s:fdi---:deny
            owner@:-------------s:------:deny
            owner@:rwxpDdaARWcCo-:fdi---:allow
            owner@:rwxpDdaARWcCo-:------:allow
            group@:-------------s:fdi---:deny
            group@:-------------s:------:deny
            group@:rwxpDdaARWcCo-:fdi---:allow
            group@:rwxpDdaARWcCo-:------:allow
         everyone@:-w-pDd-A-W-Co-:fdi---:deny
         everyone@:-w-pDd-A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:fdi---:allow
         everyone@:r-x---a-R-c--s:------:allow
```

And for dir2 :

```
root# mkdir /tmp/dir2
root# mv /tmp/dir2 /testACL2/
root# getfacl /testACL2/dir2
# file: /testACL2/dir2
# owner: root
# group: wheel
            owner@:-------------s:fdi---:deny
            owner@:-------------s:------:deny
            owner@:rwxpDdaARWcCo-:fdi---:allow
            owner@:----DdaARWcCo-:------:allow
            group@:-------------s:fdi---:deny
            group@:-------------s:------:deny
            group@:rwxpDdaARWcCo-:fdi---:allow
            group@:----DdaARWcCo-:------:allow
         everyone@:-w-pDd-A-W-Co-:fdi---:deny
         everyone@:----Dd-A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:fdi---:allow
         everyone@:------a-R-c--s:------:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
```

Are mkdir and mv application handled in different way by ZFS ACL ?
Please, give me en example which it works.

Thank you.


----------

