On Wed, May 15, 2013 at 11:47 PM, Paul B. Henson <span dir="ltr"><<a href="mailto:henson@acm.org" target="_blank">henson@acm.org</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 5/12/2013 1:21 PM, Natxo Asenjo wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
mm, when using scp it bypasses the acl as well ..., grrr.<br>
</blockquote>
<br></div>
Even with aclmode=restricted?<br></blockquote></div><br>strangely enough, on one share yes, the other no. The difference is the share root dir permissions<br><br># /bin/ls -vd /tank/testshare/<br>drwxrwxrwx+ 10 root     root          10 May 16 07:31 /tank/testshare/<br>
     0:everyone@:list_directory/read_data/add_file/write_data<br>         /add_subdirectory/append_data/read_xattr/write_xattr/execute<br>         /delete_child/read_attributes/write_attributes/delete/read_acl<br>         /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow<br>
<br># bin/ls -vd /tank/fotos/<br>d---------+289 root     root         290 May 16 07:32 /tank/fotos/<br>     0:user:username:list_directory/read_data/add_file/write_data<br>         /add_subdirectory/append_data/read_xattr/write_xattr/execute<br>
         /delete_child/read_attributes/write_attributes/delete/read_acl<br>         /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow<br><br>on the /tank/fotos, when I scp as root the root umask sets extra aces, on the /tank/testshare dir when I scp as root the ace is respected<br>
<br>root@zfstank:~# zfs get all tank/testshare | grep acl<br>tank/testshare  aclmode               restricted              local<br>tank/testshare  aclinherit            passthrough             local<br>root@zfstank:~# zfs get all tank/fotos | grep acl<br>
tank/fotos  aclmode               restricted             local<br>tank/fotos  aclinherit            passthrough            local<br><br>$ scp -r dosbox/ root@zfstank:/tank/testshare/testdir<br><br># /bin/ls -vd /tank/testshare/testdir/<br>
drwxrwxrwx+  4 root     root           5 May 16 22:03 /tank/testshare/testdir/<br>     0:everyone@:list_directory/read_data/add_file/write_data<br>         /add_subdirectory/append_data/read_xattr/write_xattr/execute<br>         /delete_child/read_attributes/write_attributes/delete/read_acl<br>
         /write_acl/write_owner/synchronize:file_inherit/dir_inherit<br>         /inherited:allow<br><br>$ scp -r dosbox/ root@zfstank:/tank/fotos/testdir<br><br># /bin/ls -vd /tank/fotos/testdir    <br>drwxr-xr-x+  4 root     root           5 May 16 22:03 /tank/fotos/testdir/<br>
     0:user:username:list_directory/read_data/add_file/write_data<br>         /add_subdirectory/append_data/read_xattr/write_xattr/execute<br>         /delete_child/read_attributes/write_attributes/delete/read_acl<br>         /write_acl/write_owner/synchronize:file_inherit/dir_inherit<br>
         /inherited:allow<br>     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory<br>         /append_data/read_xattr/write_xattr/execute/read_attributes<br>         /write_attributes/read_acl/write_acl/write_owner/synchronize:allow<br>
     2:group@:list_directory/read_data/read_xattr/execute/read_attributes<br>         /read_acl/synchronize:allow<br>     3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes<br>         /read_acl/synchronize:allow<br>
<br>strange. I am going to open a bug with redhat to see if they can get to fix coreutils and the ssh client to respect nfsv4 aces instead of bypassing the stuff. We'll see.<br><br>-- <br>groet,<br>natxo<br>