I am migrating a directory structure from a UFS filesystem to ZFS. In the old location I had POSIX ACLs set to force all new files/directories within the structure to be created with group write permissions –
group::rwx
default:group::rwx
On the new ZFS filesystem I have attempted to replicate this using NFSv4 ACLs with the "file_inherit/dir_inherit" flags set, but find that these are stripped out (or in the case of directories, replaced by an ACE with "inherit_only" set), so other users in the group don't have write permissions in the new directory. For example:
$ chmod A+group@:rwxp:fd:allow .
$ ls -Vd .
drwxrws---+ 6 user1 grp1 13 Nov 8 12:55 .
group@:rwxp----------:fd----:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:--------------:------:deny
group@:rwxp----------:------:allow
everyone@:rwxp---A-W-Co-:------:deny
everyone@:------a-R-c--s:------:allow
$ mkdir test
$ ls -Vd test
drwxr-sr-x+ 2 user1 grp1 2 Dec 1 14:24 test
group@:rwxp----------:fdi---:allow
group@:--------------:------:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
$ touch afile
$ ls -V afile
-rw-r--r--+ 1 user1 grp1 0 Dec 1 14:40 afile
group@:--------------:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
I can fix this by setting umask to 002 but I'd like to know if there's a pure ACL way (as the versions of FTP and SSH currently installed don't allow umask to be set on a per-user basis).
Best Answer
I use something like below for my passwordless, NAS storage. I'm not well versed on all the fine-grained permissions so it's probably overkill on owner/group perms and underkill on everyone, but here it is:
It's on FreeBSD, so ZFS's NFSv4 ACLs are built into setfacl. I think they can also be in nfs4_setfacl and chmod on some OSes. I'm very new to ACLs and even newer to FreeBSD, as well, so this all may make sysadmins cry. It also acts as
chmod 2774
and sets new files'/directories' groups to the dataset's group.Edit to clarify a bit:
/zfs/raid1
is the actual ZFS mount,storage
is a dataset within it.