What I am trying to is add an NFS v4 ACL that allows a directories, child and grandchild, great grandchild etc directories and files to inherit a delete ('D') flag under linux. The underlying file system on the server is xfs and .
I'm not particularly familiar with either.
The server is Centos 6.3, the client is Centos 6.4.
By my reading of the man page the 'i
' flag means set this acl on child files/dirs, but dont apply it to the current dir.
I am not setting the 'i
' flag on the parent ( /var/www/tauweb
), but it seems to be getting set on the any child dirs that are created.
What happens when I write the following ACEs using nfs4_getfacl on the dir /vaw/www/tauweb
:
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rxtcy
A:dg:[email protected]:rwaDxtcy
A:fdi:EVERYONE@:rxtcy
is that the system actually writes this:
[root@tau www]# nfs4_getfacl tauweb/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A:g:[email protected]:rwaDxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rxtcy
A:fdig:[email protected]:rwaDxtcy
A:fdi:EVERYONE@:rxtcy
Note the 'i' in the second to last user tau
entry. That was not set when I edited the ACEs but was present immediately - the system seems to add it.
Now reading all the docoo I can find indicates the "dg" after the first colon in the top set of ACEs should cause the ACL tobe inherited to child dirs (as I understand it the 'g' indicates that the principal is a group, not a user).
Now the "i" flag apparently means, cause this ACE to be inherited but do not consider it in actual perm checks.
Then when a child dir /var/www/tauweb/d2
is created it gets these:
[kkassahn@tau tauweb]$ nfs4_getfacl d2/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rxtcy
A:g:[email protected]:rxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rxtcy
A:fdig:[email protected]:rwaDxtcy
A:fdi:EVERYONE@:rxtcy
And the grandchild /var/www/tauweb/d2/d3
gets these:
[kkassahn@tau tauweb]$ nfs4_getfacl d2/d3/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rxtcy
A:g:[email protected]:rxtcy
A::EVERYONE@:rxtcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rxtcy
A:fdig:[email protected]:rwaDxtcy
A:fdi:EVERYONE@:rxtcy
Now d2 is deletable - because it's parent /var/www/tauweb has
the
A:g:[email protected]:rwaDxtcy
ACE.
But that ACE on does not get inherited.
Only A:g:[email protected]:rxtcy
gets applied to d2 and d3, although the inherit but don't consult
A:fdig:[email protected]:rwaDxtcy
gets inherited by children, grand children etc.
Any help or suggestions greatly appreciated, thanks.
I found the cause of this problem. It appears that the NFS v4 ACLs take apply the user's umask. My users had a umask of 002, so the lack of write on others was causing the 'w' 'a' 'd' and 'D' flags to be removed.
As far as I can tell this behavior is different to POSIX ACLs.
In any case the solution for me was to set the user's umask to 0.
In my case one of the users was apache, so I set
umask 000
in/etc/init.d/http
.The other users were all chrooted SFTP users and I used pam_umask in the ssh pam config to set their umask 000.
A friend of mine found some discussion of the issue here: http://www.spinics.net/lists/linux-nfs/msg27799.html