[illumos-Developer] RFC: Resurrect the ZFS "aclmode" property

Garrett D'Amore garrett at damore.org
Sun Feb 27 02:02:41 PST 2011


We reviewed this internally first, and obviously I'm strongly supportive.  I would of course like further feedback from the community at large.

Thanks Gordon.

    -- Garrett

Gordon Ross <gordon.w.ross at gmail.com> wrote:

>This is a request for comment (RFC), in the spirit of the
>(now defunct) Sun PARC request process.
>
>Executive Summary:
>
>The case (PSARC/2010/029 - Improved ACL interoperability)
>simplified ACL handling in ZFS, but at the same time removed
>the "aclmode" property.  That removal has proven to be very
>inconvenient in the field.  This proposal resurrects the
>"aclmode" property, with some changes to better fit within
>the post-PSARC/2010/029 design.
>
>
>Problem:
>
>There have been numerous customers complaints like:
>
>- What happened to aclmode?  I want aclmode=passthrough
>- I don't want NFS setattr from Linux to replace my ACLs.
>- I don't want chmod to destroy my ACLs
>
>They have a point.  PSARC/2010/029 removed control over
>what setattr does with ACLs, leaving some customers with
>no convenient way to make data remain accessible from both
>NFS and CIFS clients.
>
>There is an extensive discussion of this on zfs-discuss:
>http://opensolaris.org/jive/thread.jspa?messageID=500850
>(and other threads - search for "aclmode")
>
>
>Solution:
>
>This proposal reinstates handling of an "aclmode" property,
>but with a different default and updated semantics, to
>better integrate with post-PSARC/2010/029 handling of ACLs.
>
>The settings for "aclmode" are the same as they were before
>the property was removed, but the semantics of "groupmask"
>are now as described in PSARC/2010/029, so "groupmask" will
>no longer do ACE splitting.  The "ACE trimming" described for
>"aclmode=groupmask" will be exactly what the current code
>does when the aclinherit property is set to "restricted".  That
>ACE trimming logic will remain unchanged. This proposal just
>makes the chmod ACE trimming optional.
>
>The default value for "aclmode" was originally "groupmask".
>Many find that convenient; some argue it's a security flaw.[1]
>The reinstated "aclmode" will have "discard" as its default,
>which continues current system behavior.  (least surprise)
>
>[1] In the thread "zfs proerty aclmode gone in 147?"
>http://opensolaris.org/jive/thread.jspa?messageID=500850
>some argue that if "chmod 700" does anything other than
>replace the ACL with a trivial one, it's a security bug.
>For those people, aclmode=discard is the right setting.
>Others take a different view, and want NFS setattr to
>avoid destroying their carefully constructed ACLs.
>We should provide mechanism, not policy here.
>
>
>Man Page diffs
>
>+aclmode=discard | groupmask | passthrough
>+
>+Controls how an ACL is modified during chmod(2). A file system with
>+an aclmode property of discard (the default) deletes all ACL entries
>+that do not represent the mode of the file. An aclmode property of
>+groupmask reduces permissions granted in all "allow" entries found in
>+the ACL.  The permissions are reduced such that they are no greater
>+than the given group permission bits.  A file system with an aclmode
>+property of passthrough indicates that no changes are made to the ACL
>+other than creating or updating the necessary ACL entries to represent
>+the new mode of the file or directory.
>
>
>References:
>http://arc.opensolaris.org/caselog/PSARC/2010/029
>http://www.illumos.org/issues/742
>
>_______________________________________________
>Developer mailing list
>Developer at lists.illumos.org
>http://lists.illumos.org/m/listinfo/developer


More information about the Developer mailing list