Date: Thu, 30 Aug 2012 23:42:54 +0000 From: Doug Sampson <dougs@dawnsign.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, "'trasz@freebsd.org'" <trasz@freebsd.org> Subject: NFSv4 ACL permissions setting Message-ID: <E6B2517F8D6DBF4CABB8F38ACA367E780CF4582E@Draco.dawnsign.com>
next in thread | raw e-mail | index | archive | help
Hello all-
I've set up ZFS on a FreeBSD 9.0 64-bit server recently. One of the things =
I've had to learn relates to NFSv4 ACLs. I've developed two scripts to rese=
t permissions- one for files and the other for folders. I've run into an is=
sue with executing a script to set permissions on a bunch of folders.
The root filesystem is /data. There are a bunch of subfolders followed by m=
ore subfolders. Allow me to demonstrate as follows:
dougs@dorado:/# getfacl ./data
# file: ./data
# owner: root
# group: DSP-production
group:DSP-production:rwxpDdaARWcCos:fd----:allow
group:DSP-marketing:rwxpDdaARWcCos:fd----:allow
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:r-x---a-R-c--s:------:allow
dougs@dorado:/# cd data
dougs@dorado:/data# ll
total 45
drwxrwx---+ 5 root DSP-production 5 Aug 28 10:27 ADS-New
drwxrwx---+ 60 root DSP-production 118 Aug 27 14:17 ADS-OLD
[ .. snip .. ]
drwxrwx---+ 12 root DSP-production 12 Aug 27 14:16 WorkinProgress
dougs@dorado:/data# getfacl ./ADS-New/
# file: ./ADS-New/
# owner: root
# group: DSP-production
group:DSP-production:rwxpDdaARWcCos:fd----:allow
group:DSP-marketing:rwxpDdaARWcCos:fd----:allow
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c--s:------:allow
dougs@dorado:/data# cd ./ADS-New/
dougs@dorado:/data/ADS-New# ll
total 9
drwxrwx---+ 5 root nobody 7 Aug 27 14:20 Artworks
drwxrwx---+ 4 root nobody 4 Jul 17 12:12 ForDSP
drwxrwx---+ 78 root nobody 78 Jul 23 13:17 ForMarketing
dougs@dorado:/data/ADS-New# /root/bin/reset-perms-prod-mkt-dirs.sh
dougs@dorado:/data/ADS-New# getfacl ./Artworks/
# file: ./Artworks/
# owner: root
# group: nobody
group:DSP-production:rwxpDdaARWcCos:fd----:allow <<<<<-----
group:DSP-production:rwxpDdaARWcCos:fd----:allow <<<<<-----
group:DSP-marketing:rwxpDdaARWcCos:fd----:allow
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c--s:------:allow
dougs@dorado:/data/ADS-New# cd Artworks/
dougs@dorado:/data/ADS-New/Artworks# ll
total 4234
drwxrwx---+ 2 root nobody 2 Jul 17 12:08 Ask JoeS
drwxrwx---+ 2 root nobody 10 Jul 17 12:12 Cool - AD
d-w-rwx---+ 2 DSP-alfredo nobody 2 Aug 27 14:20 Jaye Additi=
onal Art
-rwxrwx---+ 1 root DSP-production 3770445 Mar 11 2010 comingsoonI=
ntNepal.pdf
-rwxrwx---+ 1 root DSP-production 415338 Mar 11 2010 previewcopy=
.pdf
dougs@dorado:/data/ADS-New/Artworks# cd Ask\ JoeS/
dougs@dorado:/data/ADS-New/Artworks/Ask JoeS# cd ..
dougs@dorado:/data/ADS-New/Artworks# getfacl Ask\ JoeS/
# file: Ask JoeS/
# owner: root
# group: nobody
group:DSP-production:rwxpDdaARWcCos:fd----:allow <<<<<-----
group:DSP-marketing:rwxpDdaARWcCos:fd----:allow
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c--s:------:allow
dougs@dorado:/data/ADS-New/Artworks#
As you can see, the ADS-New folder where I executed the script shows duplic=
ate entries of the DSP-production group whereas the "Ask Joe" subfolder und=
erneath the ADS-New folder shows only one DSP-production group. If I run th=
is script on the ADS-OLD folder, I see the same effect- only the first leve=
l of subfolders get duplicate DSP-production entries while the rest of the =
subfolders only contain one entry of the DSP-production group. Why is this =
happening?
The contents of the /root/bin/reset-perms-prod-mkt-dirs.sh is as follows:
#!/bin/sh
# run this script where you wish to effect the changes
# reset perms to default
find . -type d -print0 | xargs -0 setfacl -b *
# apply perms to files
find . -type d -print0 | xargs -0 setfacl -m group@:full_set:fd:allow *
find . -type d -print0 | xargs -0 setfacl -m owner@:full_set:fd:allow *
find . -type d -print0 | xargs -0 setfacl -m g:dsp-marketing:full_set:fd:al=
low *
find . -type d -print0 | xargs -0 setfacl -m g:dsp-production:full_set:fd:a=
llow *
Um? Am I missing something?
~Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E6B2517F8D6DBF4CABB8F38ACA367E780CF4582E>