I setup a little network using a central storage server based on
nexenta-Communityedition clients use homes and several shares via nfs4.
As we have some shares used for webdevelopment purposes it is desired to
have acls inherited for specific groups access and user access
(webserver user). I also have trouble with sticky-bit inheritance, which
is needed as the linux gui tools unaware of nfs-acls. Are there plans to
improve support for nfs acls?
Maybe someone here have successfully a solaris nfs server running with
linux clients using extended acls, with inheritance working as expected?
It is really annoying having users not allowed to view/edit files/dirs
they copied just the moment.
regards,
Florian
T24gV2VkLCAyMDEyLTEyLTA1IGF0IDE3OjIzICswMTAwLCBGbG9yaWFuIE1hbnNjaHdldHVzIHdy
b3RlOg0KPiBBbSAwNS4xMi4yMDEyIDE2OjQxLCBzY2hyaWViIE15a2xlYnVzdCwgVHJvbmQ6DQo+
ID4gT24gV2VkLCAyMDEyLTEyLTA1IGF0IDEwOjQ4ICswMTAwLCBGbG9yaWFuIE1hbnNjaHdldHVz
IHdyb3RlOg0KPiA+PiBJIHNldHVwIGEgbGl0dGxlIG5ldHdvcmsgdXNpbmcgYSBjZW50cmFsIHN0
b3JhZ2Ugc2VydmVyIGJhc2VkIG9uDQo+ID4+IG5leGVudGEtQ29tbXVuaXR5ZWRpdGlvbiBjbGll
bnRzIHVzZSBob21lcyBhbmQgc2V2ZXJhbCBzaGFyZXMgdmlhIG5mczQuDQo+ID4+IEFzIHdlIGhh
dmUgc29tZSBzaGFyZXMgdXNlZCBmb3Igd2ViZGV2ZWxvcG1lbnQgcHVycG9zZXMgaXQgaXMgZGVz
aXJlZCB0bw0KPiA+PiBoYXZlIGFjbHMgaW5oZXJpdGVkIGZvciBzcGVjaWZpYyBncm91cHMgYWNj
ZXNzIGFuZCB1c2VyIGFjY2Vzcw0KPiA+DQo+ID4gSW5oZXJpdGVkIGFjbHMgYXJlIGluaGVyZW50
bHkgaW5jb21wYXRpYmxlIHdpdGggYmFzaWMgUE9TSVgNCj4gPiBvcGVuKE9fQ1JFQVQpLiBUaGUg
bGF0dGVyIHRha2VzIGEgbW9kZSBiaXQgYXJndW1lbnQgdGhhdCB3aWxsIGNsb2JiZXINCj4gPiB5
b3VyIGluaGVyaXRlZCBhY2wuDQo+ID4NCj4gPj4gKHdlYnNlcnZlciB1c2VyKS4gSSBhbHNvIGhh
dmUgdHJvdWJsZSB3aXRoIHN0aWNreS1iaXQgaW5oZXJpdGFuY2UsIHdoaWNoDQo+ID4+IGlzIG5l
ZWRlZCBhcyB0aGUgbGludXggZ3VpIHRvb2xzIHVuYXdhcmUgb2YgbmZzLWFjbHMuIEFyZSB0aGVy
ZSBwbGFucyB0bw0KPiA+PiBpbXByb3ZlIHN1cHBvcnQgZm9yIG5mcyBhY2xzPw0KPiA+Pg0KPiA+
PiBNYXliZSBzb21lb25lIGhlcmUgaGF2ZSBzdWNjZXNzZnVsbHkgYSBzb2xhcmlzIG5mcyBzZXJ2
ZXIgcnVubmluZyB3aXRoDQo+ID4+IGxpbnV4IGNsaWVudHMgdXNpbmcgZXh0ZW5kZWQgYWNscywg
d2l0aCBpbmhlcml0YW5jZSB3b3JraW5nIGFzIGV4cGVjdGVkPw0KPiA+Pg0KPiA+PiBJdCBpcyBy
ZWFsbHkgYW5ub3lpbmcgaGF2aW5nIHVzZXJzIG5vdCBhbGxvd2VkIHRvIHZpZXcvZWRpdCBmaWxl
cy9kaXJzDQo+ID4+IHRoZXkgY29waWVkIGp1c3QgdGhlIG1vbWVudC4NCj4gPg0KPiA+IFRoaXMg
aXMgbm90IHRoZSByaWdodCBsaXN0IGZvciByZXF1ZXN0aW5nIGd1aSB0b29sIGNoYW5nZXMuIFRo
ZSByaWdodA0KPiA+IGFkZHJlc3Mgd291bGQgYmUgdGhlIEdOT01FLCBLREUgYW5kIFhGQ0UgcHJv
amVjdCBtYWlsIGxpc3RzLg0KPiA+DQo+IFNvdW5kcyByZWFzb25hYmxlLCBidXQgYXQgbGVhc3Qg
YSBjcCAtciAvc2hhcmUvb3JpZyAvc2hhcmUvY29weSBzaG91bGQgDQo+IHByb2R1Y2UgYSBjb3B5
IHdpdGggZXhwZWN0ZWQgYWNscyAoYXMgZGVmaW5lZCBvbiAvc2hhcmUpLg0KPiANCj4gTXkgbm9y
bWFsIG91dGNvbWluZyBpcyB0aGF0IHRoZSB1c2VyIGNvcGluZyB0aGUgZGlyZWN0b3J5IGlzIHVu
YWxsb3dlZCANCj4gdG8gYWNjZXNzIGl0LCBieSBAb3duZXItZGVueSBhY2UuIFdoaWNoIGlzIHJl
YWxseSB1Z2x5LiBVbmZvcnR1bmF0ZWx5IEkgDQo+IGNhbid0IGZpbmQgYSBtb2RlIG1ha2luZyB0
aGUgc2VydmVyIHRvIGVuZm9yY2UgY29ycmVjdCBpbmhlcml0YW5jZSANCj4gKGRpc2FsbG93aW5n
IHRoZSB1c2VycyB0byBhbHRlciBhY2xzLCBtb2RlLCBldGMgdmlhIG5mcywgbWF5YmUgd2l0aCAN
Cj4gbmZzLWFjbHMgdG9vbHMgYnV0IHRoaXMgaXNuJ3QgcmVhbGx5IG5lZWRlZCkuDQoNCkRvZXNu
J3QgdGhlICctLXByZXNlcnZlPXhhdHRyJyBhcmd1bWVudCBoZWxwPw0KDQotLSANClRyb25kIE15
a2xlYnVzdA0KTGludXggTkZTIGNsaWVudCBtYWludGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlr
bGVidXN0QG5ldGFwcC5jb20NCnd3dy5uZXRhcHAuY29tDQo=
T24gV2VkLCAyMDEyLTEyLTA1IGF0IDEwOjQ4ICswMTAwLCBGbG9yaWFuIE1hbnNjaHdldHVzIHdy
b3RlOg0KPiBJIHNldHVwIGEgbGl0dGxlIG5ldHdvcmsgdXNpbmcgYSBjZW50cmFsIHN0b3JhZ2Ug
c2VydmVyIGJhc2VkIG9uIA0KPiBuZXhlbnRhLUNvbW11bml0eWVkaXRpb24gY2xpZW50cyB1c2Ug
aG9tZXMgYW5kIHNldmVyYWwgc2hhcmVzIHZpYSBuZnM0Lg0KPiBBcyB3ZSBoYXZlIHNvbWUgc2hh
cmVzIHVzZWQgZm9yIHdlYmRldmVsb3BtZW50IHB1cnBvc2VzIGl0IGlzIGRlc2lyZWQgdG8gDQo+
IGhhdmUgYWNscyBpbmhlcml0ZWQgZm9yIHNwZWNpZmljIGdyb3VwcyBhY2Nlc3MgYW5kIHVzZXIg
YWNjZXNzIA0KDQpJbmhlcml0ZWQgYWNscyBhcmUgaW5oZXJlbnRseSBpbmNvbXBhdGlibGUgd2l0
aCBiYXNpYyBQT1NJWA0Kb3BlbihPX0NSRUFUKS4gVGhlIGxhdHRlciB0YWtlcyBhIG1vZGUgYml0
IGFyZ3VtZW50IHRoYXQgd2lsbCBjbG9iYmVyDQp5b3VyIGluaGVyaXRlZCBhY2wuDQoNCj4gKHdl
YnNlcnZlciB1c2VyKS4gSSBhbHNvIGhhdmUgdHJvdWJsZSB3aXRoIHN0aWNreS1iaXQgaW5oZXJp
dGFuY2UsIHdoaWNoIA0KPiBpcyBuZWVkZWQgYXMgdGhlIGxpbnV4IGd1aSB0b29scyB1bmF3YXJl
IG9mIG5mcy1hY2xzLiBBcmUgdGhlcmUgcGxhbnMgdG8gDQo+IGltcHJvdmUgc3VwcG9ydCBmb3Ig
bmZzIGFjbHM/DQo+DQo+IE1heWJlIHNvbWVvbmUgaGVyZSBoYXZlIHN1Y2Nlc3NmdWxseSBhIHNv
bGFyaXMgbmZzIHNlcnZlciBydW5uaW5nIHdpdGggDQo+IGxpbnV4IGNsaWVudHMgdXNpbmcgZXh0
ZW5kZWQgYWNscywgd2l0aCBpbmhlcml0YW5jZSB3b3JraW5nIGFzIGV4cGVjdGVkPw0KPiANCj4g
SXQgaXMgcmVhbGx5IGFubm95aW5nIGhhdmluZyB1c2VycyBub3QgYWxsb3dlZCB0byB2aWV3L2Vk
aXQgZmlsZXMvZGlycyANCj4gdGhleSBjb3BpZWQganVzdCB0aGUgbW9tZW50Lg0KDQpUaGlzIGlz
IG5vdCB0aGUgcmlnaHQgbGlzdCBmb3IgcmVxdWVzdGluZyBndWkgdG9vbCBjaGFuZ2VzLiBUaGUg
cmlnaHQNCmFkZHJlc3Mgd291bGQgYmUgdGhlIEdOT01FLCBLREUgYW5kIFhGQ0UgcHJvamVjdCBt
YWlsIGxpc3RzLg0KDQotLSANClRyb25kIE15a2xlYnVzdA0KTGludXggTkZTIGNsaWVudCBtYWlu
dGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlrbGVidXN0QG5ldGFwcC5jb20NCnd3dy5uZXRhcHAu
Y29tDQo=
Am 05.12.2012 16:41, schrieb Myklebust, Trond:
> On Wed, 2012-12-05 at 10:48 +0100, Florian Manschwetus wrote:
>> I setup a little network using a central storage server based on
>> nexenta-Communityedition clients use homes and several shares via nfs4.
>> As we have some shares used for webdevelopment purposes it is desired to
>> have acls inherited for specific groups access and user access
>
> Inherited acls are inherently incompatible with basic POSIX
> open(O_CREAT). The latter takes a mode bit argument that will clobber
> your inherited acl.
>
>> (webserver user). I also have trouble with sticky-bit inheritance, which
>> is needed as the linux gui tools unaware of nfs-acls. Are there plans to
>> improve support for nfs acls?
>>
>> Maybe someone here have successfully a solaris nfs server running with
>> linux clients using extended acls, with inheritance working as expected?
>>
>> It is really annoying having users not allowed to view/edit files/dirs
>> they copied just the moment.
>
> This is not the right list for requesting gui tool changes. The right
> address would be the GNOME, KDE and XFCE project mail lists.
>
Sounds reasonable, but at least a cp -r /share/orig /share/copy should
produce a copy with expected acls (as defined on /share).
My normal outcoming is that the user coping the directory is unallowed
to access it, by @owner-deny ace. Which is really ugly. Unfortunately I
can't find a mode making the server to enforce correct inheritance
(disallowing the users to alter acls, mode, etc via nfs, maybe with
nfs-acls tools but this isn't really needed).
Regards,
Florian