# ACL behavior



## mannychang (Jun 9, 2013)

Hi *a*ll*,* 

I have question about NFSv4 ACL in ZFS. I set ACL permission for a file as

```
# file: a
# owner: manny
# group: wheel
          user:manny:rw------------:------:allow
              group@:r-x---a-R-c--s:------:allow
           everyone@:r-x---a-R-c--s:------:allow
```

I set Manny only "rw" permission for the "a" file, not "delete" permission, but I still can delete it. Why? ???? 

Root to set ACL permission. Manny to login testing ACL permission.


----------



## DutchDaemon (Jun 9, 2013)

As far as I know, delete = write.


----------



## kpa (Jun 9, 2013)

Deleting a file under UNIX or UNIX like operating systems is an operation on the directory where the file is located. Look at the permissions/ACLs of the directory instead of the file.


----------



## mannychang (Jun 10, 2013)

Thanks for @kpa.

I tried it again and set ACL permissions for directory, but I found some things. Folder permission as follows and there are some files/folders in this folder.

If the folder only has "r" permission, you can't enter the folder. It needs the "rx" permission
If I set the "wx" permission for this folder, I can delete the file/folder.

Is this behavior right???


----------



## bx83 (Jul 22, 2013)

I would also like to know the answer to this, I have been searching endlessly for stuff relating to this problem.

It seems that on a ZFS system, even with aclinherit and aclmode BOTH set to 'passthrough', and with the correct 'NFSv4' ACL data being shown by getfacl (eg "user:manny:rwxp----------:------:allow"), FreeBSD will _only_ respect the Unix 9-bit mode for checking file permissions.

This is *completely broken* as far as having ACL's in use in your filesystem, because *Free*BSD is basically circumventing whatever's in them (besides the rwx perms/bits).

In the NFSv4 ACL's used in ZFS, you can set these permissions bits in the ACL for owner@ (the owner of a file/directory at the time) or a specific user (e.g. user:manny); *Free*BSD will at least interpret these entries, as far as taking notice that you've assigned perms to different entities.

For example, stripping all permissions for everyone@:


```
everyone@:--------------:------:allow
```

but adding rwx just for user:manny


```
user:manny:rwx-----------:------:allow
```

will give manny rwx permissions and everyone else outside of group/owner no permissions; user manny can make files and edit them in the directory with these ACE's included, but any other (non-owner, non-group) users won't have any permissions;

BUT - _no other permissions in the ACL (like p/append, d/delete child, R/read xattribs, etc) will be respected._

I have yet to figure out how to get around this and have *Free*BSD to respect the full ACL's permissions. If anyone could shed light on this I would eternally grateful, it's driving me insane so far.


----------

