[illumos-Advocates] RTI: 742 Resurrect the ZFS "aclmode" property (and 664, 279)
Gordon Ross
Gordon.Ross at nexenta.com
Fri May 6 15:59:18 PDT 2011
Request to integrate (see below).
> OK, not having heard any objections, I think the aclmode work
> is ready to integrate. I'm planning an RTI for this today.
> Change set description below. Webrev in the quoted text.
> Last chance, zfs-wg! Going, going, ...
......................................... gone!
Output of "hg outgoing -v" here.
Other details in attachments.
comparing with /tank/ws/illumos-clone
searching for changes
changeset: 13350:e2bf8d3e83db
tag: tip
user: Albert Lee <trisk at opensolaris.org>
date: Fri May 13 10:59:00 2011 -0400
description:
742 Resurrect the ZFS "aclmode" property
664 Umask masking "deny" ACL entries.
279 Bug in the new ACL (post-PSARC/2010/029) semantics
Reviewed by: Aram Hăvărneanu <aram at nexenta.com>
Reviewed by: Gordon Ross <gwr at nexenta.com>
Reviewed by: Robert Gordon <rbg at openrbg.com>
Approved by: Garrett D'Amore <garrett at nexenta.com>
modified:
usr/src/common/acl/acl_common.c
usr/src/common/acl/acl_common.h
usr/src/common/zfs/zfs_prop.c
usr/src/lib/libsec/common/aclutils.c
usr/src/lib/libzfs_jni/common/libzfs_jni_property.c
usr/src/man/man1m/zfs.1m
usr/src/uts/common/fs/fs_subr.c
usr/src/uts/common/fs/zfs/sys/zfs_acl.h
usr/src/uts/common/fs/zfs/sys/zfs_vfsops.h
usr/src/uts/common/fs/zfs/zfs_acl.c
usr/src/uts/common/fs/zfs/zfs_vfsops.c
usr/src/uts/common/fs/zfs/zfs_vnops.c
usr/src/uts/common/sys/fs/zfs.h
-------------- next part --------------
$ hg pbchk
Copyright check:
usr/src/common/zfs/zfs_prop.c: no copyright claim for current year found
usr/src/lib/libzfs_jni/common/libzfs_jni_property.c: no copyright claim for current year found
usr/src/uts/common/fs/zfs/sys/zfs_acl.h: no copyright claim for current year found
usr/src/uts/common/fs/zfs/sys/zfs_vfsops.h: no copyright claim for current year found
usr/src/uts/common/fs/zfs/zfs_vfsops.c: no copyright claim for current year found
usr/src/uts/common/fs/zfs/zfs_vnops.c: no copyright claim for current year found
usr/src/uts/common/sys/fs/zfs.h: no copyright claim for current year found
C style check:
Header format check:
Java style check:
Mapfile comment check:
File permission check:
Keywords check:
Comments check:
WARNING: Blank line(s) in comments
Checking for new tags:
Checking for multiple heads (or branches):
Checking for branch changes:
Checking for uncommitted changes:
Checking for merges:
-------------- next part --------------
==== Nightly distributed build started: Wed Apr 27 01:44:58 EDT 2011 ====
==== Nightly distributed build completed: Wed Apr 27 15:57:21 EDT 2011 ====
==== Total build time ====
real 14:12:23
==== Build environment ====
/usr/bin/uname
SunOS sun40 5.11 oi_148b i86pc i386 i86pc
/opt/SUNWspro/bin/dmake
dmake: Sun Distributed Make 7.8 SunOS_i386 Patch 126504-01 2007/07/19
number of concurrent jobs = 4
32-bit compiler
/opt/onbld/bin/i386/cw -_cc
cw version 1.29
primary: /opt/onspro/SS12/bin/cc
cc: Sun C 5.9 SunOS_i386 Patch 124868-10 2009/04/30
shadow: /usr/sfw/bin/gcc
gcc (GCC) 3.4.3 (csl-sol210-3_4-20050802)
64-bit compiler
/opt/onbld/bin/i386/cw -_cc
cw version 1.29
primary: /opt/onspro/SS12/bin/cc
cc: Sun C 5.9 SunOS_i386 Patch 124868-10 2009/04/30
shadow: /usr/sfw/bin/gcc
gcc (GCC) 3.4.3 (csl-sol210-3_4-20050802)
/usr/java/bin/javac
java full version "1.6.0_21-b06"
/usr/ccs/bin/as
as: Sun Compiler Common 12 SunOS_i386 snv_121 08/03/2009
/usr/ccs/bin/ld
ld: Software Generation Utilities - Solaris Link Editors: 5.11-1.1726
Build project: group.staff
Build taskid: 452
==== Nightly argument issues ====
==== Build version ====
zfs-aclmode
==== Make clobber ERRORS ====
==== Make tools clobber ERRORS ====
==== Tools build errors ====
==== Build errors (non-DEBUG) ====
==== Build warnings (non-DEBUG) ====
==== Elapsed build time (non-DEBUG) ====
real 3:35:34.3
user 5:58:51.6
sys 1:08:15.2
==== Build noise differences (non-DEBUG) ====
==== package build errors (non-DEBUG) ====
==== Build errors (DEBUG) ====
==== Build warnings (DEBUG) ====
==== Elapsed build time (DEBUG) ====
real 4:01:13.0
user 5:07:51.1
sys 1:01:16.8
==== Build noise differences (DEBUG) ====
==== package build errors (DEBUG) ====
==== Validating manifests against proto area ====
==== Check ELF runtime attributes ====
==== Diff ELF runtime attributes (since last build) ====
==== 'dmake lint' of src ERRORS ====
==== Elapsed time of 'dmake lint' of src ====
real 5:42:53.5
user 1:46:35.3
sys 19:01.3
==== lint warnings src ====
==== lint noise differences src ====
==== cstyle/hdrchk errors ====
==== Find core files ====
==== Check lists of files ====
==== Impact on file permissions ====
-------------- next part --------------
1: Test cases for aclmode
aclmode = discard | groupmask | passthrough
In all the aclmode test cases, use:
aclinherit = restricted (default - should not matter)
1.1: aclmode = discard
Verify chmod throws away ACLs:
chmod A=user:admin:full_set:fd:allow foo1
chmod 644 foo1
ls -lV foo1
-rw-r--r-- 1 root root 0 Feb 18 15:47 foo1
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
1.2: aclmode = groupmask
Verify chmod keeps other ACEs, but masks them:
chmod A=user:admin:full_set:fd:allow foo2
chmod 644 foo2
ls -lV foo2
-rw-r--r--+ 1 root root 0 Feb 18 15:49 foo2
user:admin:r---d-a-R-c--s:fd-----:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
1.3: aclmode = passthrough
Verify chmod keeps other ACEs as they were:
chmod A=user:admin:full_set:fd:allow foo3
chmod 644 foo3
ls -lV foo3
-rw-r--r--+ 1 root root 0 Feb 18 15:49 foo3
user:admin:rwxpdDaARWcCos:fd-----:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
2: Test cases for aclinherit
aclinherit = discard | noallow | restricted | passthrough[-x]
In all the aclmode test cases, use:
aclmode = passthrough (convenient for setup - should not matter)
Setup a directory with some inherit-enabled ACEs:
chmod A=user:admin:full_set:fd:allow dir1
chmod 755 dir1
ls -ldV dir1
drwxr-xr-x+ 2 root root 2 Feb 18 18:39 dir1
user:admin:rwxpdDaARWcCos:fd-----:allow
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
2.1: aclinherit = discard
touch dir1/discard
ls -lV dir1/discard
-rw-r--r-- 1 root root 0 Feb 18 18:46 dir1/discard
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
2.2: aclinherit = restricted
touch dir1/restricted
ls -lV dir1/restricted
-rw-r--r-- 1 root root 0 Feb 18 18:46 dir1/restricted
user:admin:rw-p--aARWcCos:------I:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
-rw-r--r--+ 1 root root 0 Feb 20 20:16 dir1/restricted
user:admin:r---d-a-R-c--s:------I:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
(Note: the 'd' bit in A0 is a bug!)
(Also the 's' bit in the group entry)
2.3: aclinherit = noallow
touch dir1/noallow
ls -lV dir1/noallow
(todo)
2.4: aclinherit = passthrough
touch dir1/passthrough
ls -ldV dir1/passthrough
-rw-r--r--+ 2 root root 2 Feb 18 18:39 dir1/passthrough
user:admin:rw-pd-aARWcCos:fd-----:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
2.5: aclinherit = passthrough-x
touch dir1/passthrough-x
(todo)
More information about the Advocates
mailing list