From owner-freebsd-fs@FreeBSD.ORG  Tue Jun 12 14:45:46 2012
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5686E106564A
	for <freebsd-fs@freebsd.org>; Tue, 12 Jun 2012 14:45:46 +0000 (UTC)
	(envelope-from freebsd-listen@fabiankeil.de)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de
	[80.67.31.37]) by mx1.freebsd.org (Postfix) with ESMTP id DC4918FC14
	for <freebsd-fs@freebsd.org>; Tue, 12 Jun 2012 14:45:45 +0000 (UTC)
Received: from [78.35.186.150] (helo=fabiankeil.de)
	by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.68) (envelope-from <freebsd-listen@fabiankeil.de>)
	id 1SeSIM-0006Nr-FW; Tue, 12 Jun 2012 16:42:10 +0200
Date: Tue, 12 Jun 2012 16:42:06 +0200
From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: Marc Peters <marc@mpeters.org>
Message-ID: <20120612164206.6a573136@fabiankeil.de>
In-Reply-To: <4FD74858.6070705@mpeters.org>
References: <4FD74858.6070705@mpeters.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA1;
	boundary="Sig_/2MyX2GgjDq8WTdUpEUgk2Im";
	protocol="application/pgp-signature"
X-Df-Sender: Nzc1MDY3
Cc: freebsd-fs@freebsd.org
Subject: Re: ZFS deletes ACLs when root edits a file
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 14:45:46 -0000

--Sig_/2MyX2GgjDq8WTdUpEUgk2Im
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Marc Peters <marc@mpeters.org> wrote:

> i observed a strange behaviour when using ACLs on a ZFS filesystem.
> When a file has ACLs set and is edited by a user, the ACLs get lost
> when the file is edited and saved.
>=20
> How to repeat:
>=20
> > mount
> /dev/aacd0s1a on / (ufs, local)
> devfs on /dev (devfs, local, multilabel)
> /dev/aacd0s1d on /var (ufs, local, soft-updates)
> appdata on /appdata (zfs, local, nfsv4acls)
> /dev/md0 on /appdata/www/cache (ufs, local, soft-updates)
>=20
> > ls -al
> total 3
> drwxr-xr-x  2 mpeters  wheel  2 Jun 12 15:31 .
> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
> > touch test.file ls -al
> total 4
> drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 .
> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
> - -rw-r--r--  1 mpeters  wheel  0 Jun 12 15:32 test.file
> > getfacl test.file
> # file: test.file
> # owner: mpeters
> # group: wheel
>             owner@:rw-p--aARWcCos:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
> > setfacl -m user:nobody:rwx::allow test.file ls -al
> total 4
> drwxr-xr-x  2 mpeters  wheel  3 Jun 12 15:32 .
> drwxr-xr-x  5 root     wheel  5 Jun 12 15:29 ..
> - -rw-r--r--+ 1 mpeters  wheel  0 Jun 12 15:32 test.file
> > getfacl test.file
> # file: test.file
> # owner: mpeters
> # group: wheel
>        user:nobody:rwx-----------:------:allow
>             owner@:rw-p--aARWcCos:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
> > vim test.file
> (do some editing here)
> "test.file" 2 lines, 12 characters written
> > ls -al
> total 4
> drwxr-xr-x  2 mpeters  wheel   3 Jun 12 15:35 .
> drwxr-xr-x  5 root     wheel   5 Jun 12 15:29 ..
> - -rw-r--r--  1 mpeters  wheel  12 Jun 12 15:35 test.file
> > getfacl test.file
> # file: test.file
> # owner: mpeters
> # group: wheel
>             owner@:rw-p--aARWcCos:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
>=20
> As you can see, the ACL for user nobody is gone.
>=20
> Is this behaviour intended?

It is expected if vim replaced the original test.file
with a modified file with the same name, instead of
actually editing the original file directly.

To confirm that this is happening you could truss
vim or run "ls -i test.file" before and after using
vim (this is probably less reliable, though).

The ACLs shouldn't get lost if you really modify the
original, for example with:

echo blafasel >> test.file

Fabian

--Sig_/2MyX2GgjDq8WTdUpEUgk2Im
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAk/XVUEACgkQBYqIVf93VJ1VHgCgyQv+qeZYwWMb0EpoSGO6aa4v
2gQAn0zygoZMZnTxQjjUBdJJhbi0JS8O
=HouI
-----END PGP SIGNATURE-----

--Sig_/2MyX2GgjDq8WTdUpEUgk2Im--