# Mapping POSIX ACLs to NFSv4 ACLs for Samba storage



## proks (Sep 27, 2013)

Hi all,

I propose to talk about an issue. I have a task of moving data from UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But only owner/owner_group is saved. I've written a Perl script to translate POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it (http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05) to emulate POSIX behaviour of permissions. I got something like that, for instance:

Source directory on UFS:

```
> getfacl  /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user::rwx
user:10015:r-x
user:10049:r-x
user:10072:rwx
group::---
group:544:rwx
group:10008:rwx
group:10131:r-x
mask::rwx
other::---

> getfacl  -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user::rwx
user:10015:r-x
user:10049:r-x
user:10072:rwx
group::---
group:544:rwx
group:10008:rwx
group:10131:r-x
mask::rwx
other::---
```
Target directory on ZFS:

```
# getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ 
# file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
              owner@:--------------:fd----:deny
              owner@:rwxpD-aA--cC-s:fd----:allow
        user:10015:-w-p---A---C--:fd----:deny
        user:10015:r-x---a---c--s:fd----:allow
        user:10049:-w-p---A---C--:fd----:deny
        user:10049:r-x---a---c--s:fd----:allow
        user:10072:-------A---C--:fd----:deny
        user:10072:rwxpD-a---c--s:fd----:allow
              group@:------a---c--s:fd----:allow
     group:10008:rwxpD-a---c--s:fd----:allow
         group:544:rwxpD-a---c--s:fd----:allow
     group:10131:r-x---a---c--s:fd----:allow
              group@:rwxp---A---C--:fd----:deny
     group:10008:-------A---C--:fd----:deny
         group:544:-------A---C--:fd----:deny
     group:10131:-w-p---A---C--:fd----:deny
        everyone@:rwxp---A---C--:fd----:deny
        everyone@:------a---c--s:fd----:allow
```

I was happy, but Windows made me sad. When I tried to look at permissions of a file or a directory with a Windows file browser I had warning about ordering of permissions. Then I tried to edit permissions and allowed reordering and got this result of that:


```
getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
        user:10015:-w-pD--A---C--:fd----:deny
        user:10049:-w-pD--A---C--:fd----:deny
        user:10072:-------A---C--:fd----:deny
              group@:rwxpD--A---C--:fd----:deny
     group:10008:-------A---C--:fd----:deny
          group:544:-------A---C--:fd----:deny
     group:10131:-w-pD--A---C--:fd----:deny
        everyone@:rwxpD--A---C--:fd----:deny    <<<<<<<<<
             owner@:rwxpD-aA--cC--:fd----:allow
       user:10015:r-x---a---c---:fd----:allow
       user:10049:r-x---a---c---:fd----:allow
       user:10072:rwxpD-a---c---:fd----:allow
             group@:------a---c---:fd----:allow
    group:10008:rwxpD-a---c---:fd----:allow
         group:544:rwxpD-a---c---:fd----:allow
     group:10131:r-x---a---c---:fd----:allow
         everyone@:------a---c---:fd----:allow
```

But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). It's a mess. As it turned out according to http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298(v=vs.85).aspx it's a rule of ordering of Windows permissions.


----------



## proks (Sep 27, 2013)

I propose another solution that will meet both POSIX and Windows requirements. For that example:
("deny" to prevent individual "allow" permissions within groups)


```
owner@:--------------:fd----:deny
user:10015:-w-p---A---C--:fd----:deny
user:10049:-w-p---A---C--:fd----:deny
user:10072:-------A---C--:fd----:deny
owner@:rwxpD-aA--cC-s:fd----:allow
user:10015:r-x---a---c--s:fd----:allow
user:10049:r-x---a---c--s:fd----:allow
user:10072:rwxpD-a---c--s:fd----:allow

group@:------a---c--s:fd----:allow
group:10008:rwxpD-a---c--s:fd----:allow
group:544:rwxpD-a---c--s:fd----:allow
group:10131:r-x---a---c--s:fd----:allow
 
everyone@:------a---c--s:fd----:allow
```

Everyone that is not allowed is forbidden. But this is not a universal solution. What do you think about it?


----------



## RusDyr (Oct 2, 2013)

What I really want is something like Microsoft's "resulting policy" tool. It's quite hard to find out through all that output from `getfacl` what is the resulting ACL for a user.


----------

