[OpenIndiana-discuss] Office apps unable to write to ZFS overCIFS

Mike La Spina mike.laspina at laspina.ca
Sun Jul 1 15:31:32 UTC 2012 

There are some key elements missing from the presented Oracle document clip. e.g.

*The primary rules of ACL access on a ZFS file follow:

    *ZFS processes ACL entries in the order they are listed in the ACL, from the top down.

    *Only ACL entries that have a "who" that matches the requester of the access are processed.

    *After an allow permission has been granted, it cannot be denied by a subsequent ACL deny entry in the same ACL permission set.

    *The owner of a file is granted the write_acl permission unconditionally, even if the permission is explicitly denied. Otherwise, any permission left             unspecified is denied.

    *In cases of deny permissions or when an access permission for a file is missing, the privilege subsystem determines what access request is granted for the owner of the file or for superuser. This mechanism prevents owners of files from getting locked out of their files and enables superuser to modify files for recovery purposes.

ACLs are processed primarily on the explicit entries first. Any explicit ACE will be acted on and will override an inherited one. This follows Microsoft defined rules for processing ACLs. The statement indicating "who" matches is the key definition of explicit. So in the case of an inherited permission the explicit deny will have precedence provided that the are no other explicit allow ACEs processed before it. 

http://technet.microsoft.com/en-us/library/cc783530(WS.10).aspx

-----Original Message-----
From: Gordon Ross [mailto:gordon.w.ross at gmail.com] 
Sent: Saturday, June 30, 2012 11:15 PM
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] Office apps unable to write to ZFS overCIFS

On Sat, Jun 30, 2012 at 7:00 PM, Martin Frost <me at cs.stanford.edu> wrote:
> Thanks to all for the replies.  The Oracle Solaris documentation here:
>
>   http://docs.oracle.com/cd/E19253-01/819-5461/ftyxi/index.html
>
> says:
>
>     The primary rules of ACL access on a ZFS file follow:
>
>     * ZFS processes ACL entries in the order they are listed
>         in the ACL, from the top down.
>
>     * After an allow permission has been granted, it cannot be denied
>         by a subsequent ACL deny entry in the same ACL permission set.

Interesting.  That's not how MS defined the ACL evaluation algorithm.
I thought the point of NFSv4/ZFS ACLs was to be Windows compatible, so I wonder if this was an intentional difference or an accident? (bug)

--
Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc.  www.nexenta.com
Enterprise class storage for everyone

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list