# NFSv4 ACLs - deny owner write ACL permission



## anodos (Jun 7, 2017)

owner@ is always allowed to write ACLs as a foot-shooting protection mechanism. Sometimes I really want to shoot my foot.

In samba with "zfsacl" enabled and "nfs4:mode = simple", owner@ roughly corresponds with "creator-owner". There are times when I'm wearing my windows/samba admin hat that I want to limit the ability of non-admin users (including "creator-owner") to modify permissions in a share. At present, I don't believe there's a way to do this in FreeBSD, even using the command `setfacl -m owner@:C:fd:deny /path/to/share`

Does anyone have a workaround for this?


----------



## amartin (Dec 12, 2017)

Did you ever figure out how to solve this? I am also interested in how to prevent owner@ from being able to modify ACLs. I see that this fix exists for ZFS on Solaris-based systems, however the .zfs/shares directory does not seem to exist on OpenZFS. How else can owner@ be prevented from being able to modify ACLs?


----------



## SirDice (Dec 13, 2017)

> The owner of the file is granted the write_acl permission unconditionally, even if the permission is explicitly denied.


https://docs.oracle.com/cd/E23823_01/html/819-5461/gbace.html



anodos said:


> Does anyone have a workaround for this?


Simplest solution, change the ownership of the files. If the user doesn't own the file he/she can't change the ACL.


----------



## amartin (Jan 4, 2018)

SirDice said:


> https://docs.oracle.com/cd/E23823_01/html/819-5461/gbace.html



I am aware of this, but on Solaris ZFS, you can follow these instructions to change the ACL set for `everyone@` to `modify_set`, which prevents owners from modifying the ACLs on files they own:

```
/usr/bin/chmod A=\
user:root:full_set:-------:allow,\
everyone@:modify_set:-------:allow \
/zroot/datasets/example/.zfs/shares/example
```

However, OpenZFS does not appear to have the `.zfs/shares` directory so I cannot apply this same solution on OpenZFS-based systems.




SirDice said:


> Simplest solution, change the ownership of the files. If the user doesn't own the file he/she can't change the ACL.



Right, but how do I allow users to create files over NFSv4 but prevent them from owning the files they create?


----------

