[BUG] nfs4xdr_setfacl -x removes all other entries

crlorentzen

Cadet
Joined
Apr 6, 2020
Messages
9
Background:
Truesnas Scale allows the use of either POSIX or NFSv4 permissions. To manage NFSv4 permissions from the CLI one uses nfs4xdr_getfacl and nfs4xdr_setfacl.

Version: TrueNAS-SCALE-22.02.0

Problem Description:
The nfs4xdr_setfacl -x command acts like -s when using an acl_spec. When using an acl_spec it replaces instead of removes the specified acl.

Reproduction Steps:
1. On an nfsv4 dataset run the following commands create the test file
Code:
touch x
nfs4xdr_setfacl -s user:10005:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10004:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10003:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10002:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10001:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10000:rwx-----------:-------:allow x


The facl should look similar to
Code:
nfs4xdr_getfacl x
# File: x
# owner: 0
# group: 0
# mode: 0o100000
# trivial_acl: false
# ACL flags: none
        user:10000:rwx-----------:-------:allow
        user:10001:rwx-----------:-------:allow
        user:10002:rwx-----------:-------:allow
        user:10003:rwx-----------:-------:allow
        user:10004:rwx-----------:-------:allow
        user:10005:rwx-----------:-------:allow


2. attempt to remove one line using the spec e.g. the 3th spec:
nfs4xdr_setfacl -x user:10003:rwx-----------:-------:allow x

The resulting facl is:
Code:
# File: x
# owner: 0
# group: 0
# mode: 0o100000
# trivial_acl: false
# ACL flags: none
        user:10003:rwx-----------:-------:allow

"--test" also shows the same resulting facl.

Expected Result:

when using -x 3, instead of the acl_spec it acts as expected

Code:
# File: x
# owner: 0
# group: 0
# mode: 0o100000
# trivial_acl: false
# ACL flags: none
        user:10000:rwx-----------:-------:allow
        user:10001:rwx-----------:-------:allow
        user:10002:rwx-----------:-------:allow
        user:10004:rwx-----------:-------:allow
        user:10005:rwx-----------:-------:allow


This was found on my newly upgraded from CORE to SCALE Truenas home server, a generic Intel based 16GB with 10TB of RAIDZ2 sharing both with SMB and NFSv4

I have not exhaustively tested the nfs4xdr tooling, and could be doing this wrong, but I think I have proven that "-x" works correctly with the index, but with an acl_spec it acts like "-s"
 

crlorentzen

Cadet
Joined
Apr 6, 2020
Messages
9
I am hoping someone else can confirm they also see this issue, or tell me if this is already a known issue.
 

morganL

Captain Morgan
Administrator
Moderator
iXsystems
Joined
Mar 10, 2018
Messages
2,691
I am hoping someone else can confirm they also see this issue, or tell me if this is already a known issue.
Did it work correctly on CORE, but not on SCALE?

If so, suggest you report-a-bug..
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Background:
Truesnas Scale allows the use of either POSIX or NFSv4 permissions. To manage NFSv4 permissions from the CLI one uses nfs4xdr_getfacl and nfs4xdr_setfacl.

Version: TrueNAS-SCALE-22.02.0

Problem Description:
The nfs4xdr_setfacl -x command acts like -s when using an acl_spec. When using an acl_spec it replaces instead of removes the specified acl.

Reproduction Steps:
1. On an nfsv4 dataset run the following commands create the test file
Code:
touch x
nfs4xdr_setfacl -s user:10005:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10004:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10003:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10002:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10001:rwx-----------:-------:allow x
nfs4xdr_setfacl -a user:10000:rwx-----------:-------:allow x


The facl should look similar to
Code:
nfs4xdr_getfacl x
# File: x
# owner: 0
# group: 0
# mode: 0o100000
# trivial_acl: false
# ACL flags: none
        user:10000:rwx-----------:-------:allow
        user:10001:rwx-----------:-------:allow
        user:10002:rwx-----------:-------:allow
        user:10003:rwx-----------:-------:allow
        user:10004:rwx-----------:-------:allow
        user:10005:rwx-----------:-------:allow


2. attempt to remove one line using the spec e.g. the 3th spec:
nfs4xdr_setfacl -x user:10003:rwx-----------:-------:allow x

The resulting facl is:
Code:
# File: x
# owner: 0
# group: 0
# mode: 0o100000
# trivial_acl: false
# ACL flags: none
        user:10003:rwx-----------:-------:allow

"--test" also shows the same resulting facl.

Expected Result:

when using -x 3, instead of the acl_spec it acts as expected

Code:
# File: x
# owner: 0
# group: 0
# mode: 0o100000
# trivial_acl: false
# ACL flags: none
        user:10000:rwx-----------:-------:allow
        user:10001:rwx-----------:-------:allow
        user:10002:rwx-----------:-------:allow
        user:10004:rwx-----------:-------:allow
        user:10005:rwx-----------:-------:allow


This was found on my newly upgraded from CORE to SCALE Truenas home server, a generic Intel based 16GB with 10TB of RAIDZ2 sharing both with SMB and NFSv4

I have not exhaustively tested the nfs4xdr tooling, and could be doing this wrong, but I think I have proven that "-x" works correctly with the index, but with an acl_spec it acts like "-s"
It's an internal tool for working with ACLs. In general the proper way to interact with them is through the middleware / webui.
From a convenience standpoint, it's simpler to just use the -e option and edit via vi. I can fix this feature in the future, but at this point it is a fairly low priority item (since it's not an officially supported way of interacting with them, and there are viable alternative ways of editing ACLs -- even within the tool itself).
 
Top