Bug 174950 - [zfs] delete ZFS ACL have no effect
Summary: [zfs] delete ZFS ACL have no effect
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: Edward Tomasz Napierala
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-03 15:50 UTC by Sandra
Modified: 2013-04-01 14:25 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sandra 2013-01-03 15:50:03 UTC 
The d ZFS ACL is suppose to give or deny permission to delete a file. It have no effect.

The below is the output from the script in "How to repeat the problem", and please notice:

* Eventhough www doesn't have delete permission and there is an explicit deny, rm was possible.



p="/tank/project1"
f="$p/test2"
u="user1"

rm -f $f
setfacl -b $p

setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1

setfacl -m u:www:rwxa:fd:allow $p || exit 1
setfacl -m u:www:d:fd:deny $p || exit 1
getfacl $p
# file: /tank/project1
# owner: root
# group: wheel
          user:www:-----d--------:fd----:deny
          user:www:rwx---a-------:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

su -m $u -c "touch $f"
getfacl $f
# file: /tank/project1/test2
# owner: user1
# group: wheel
          user:www:-----d--------:------:deny
          user:www:rw----a-------:------:allow
        user:user1:rw-pDdaARWcCos:------:allow
            owner@:rw------------:------:allow
            group@:--------------:------:allow
         everyone@:--------------:------:allow

su -m www -c "ls -l $f"
ls: /tank/project1/test2: Permission denied
-rw-------  1 user1  wheel  0 Dec 19 14:23 /tank/project1/test2

su -m www -c "rm $f"
ls -l $f
ls: /tank/project1/test2: No such file or directory

How-To-Repeat: p="/tank/project1"
f="$p/test2"
u="user1"

rm -f $f
setfacl -b $p

setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1

setfacl -m u:www:rwxa:fd:allow $p || exit 1
setfacl -m u:www:d:fd:deny $p || exit 1
getfacl $p

su -m $u -c "touch $f"
getfacl $f

su -m www -c "ls -l $f"

su -m www -c "rm $f"
ls -l $f
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2013-01-07 03:59:39 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-fs

Over to maintainer(s).
Comment 2 Edward Tomasz Napierala freebsd_committer freebsd_triage 2013-01-15 16:57:28 UTC 
Responsible Changed
From-To: freebsd-fs->trasz

I'll take it.
Comment 3 Edward Tomasz Napierala freebsd_committer freebsd_triage 2013-04-01 14:25:50 UTC 
State Changed
From-To: open->closed

FreeBSD implements draft-ietf-nfsv4-minorversion1-03.txt, and the delete 
semantics is... complicated.  In short: if you have 'delete' or 
'delete_child' permission, the delete is allowed.  If 'delete_child' 
(but not 'delete') is explicitly denied, then removal is denied. 
Otherwise, fall back to the traditional unix semantics.