Can I disable current ACL behaviour?

Daisuke

Contributor
Joined
Jun 23, 2011
Messages
1,041
I created an userid 1000 which I have assigned it to 2 datasets, /mnt/default/media and /mnt/default/software. Everything is set to default install settings, this is a fresh install, I just transferred some data with rsync from a different NAS.

Screen Shot 2022-06-07 at 10.37.55 PM.png


Code:
# id user10
uid=1000(user10) gid=1000(user10) groups=1000(user10)

root@uranus[/mnt/default]# ls -lah
total 39K
drwxr-xr-x  4 root   root  4 Apr 27 12:11 .
drwxr-xr-x  4 root   root  4 May 19 03:05 ..
drwxr-xr-x 13 user10 root 13 Apr 29 03:02 media
drwxr-xr-x  9 user10 root 10 Jun  7 20:43 software

root@uranus[/mnt/default]# getfacl software/config
# file: software/config
# owner: user10
# group: user10
user::rwx
user:user10:rwx
group::r-x
group:user10:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user10:rwx
default:group::rwx
default:group:user10:rwx
default:mask::rwx
default:other::r-x

root@uranus[/mnt/default]# ls -lah software/config
total 57K
drwxr-xr-x 3 user10 user10 3 Jun  7 22:29 .
drwxr-xr-x 9 user10 root   9 Jun  7 22:29 ..
drwxr-xr-x 3 user10 user10 3 Jun  7 21:59 plex

root@uranus[/mnt/default]# setfacl -bnR .
root@uranus[/mnt/default]# getfacl software/config
# file: software/config
# owner: user10
# group: user10
user::rwx
group::r-x
other::r-x

root@uranus[/mnt/default]# ls -lah software/config
total 57K
drwxr-xr-x 3 user10 user10 3 Jun  7 22:29 .
drwxr-xr-x 9 user10 root   9 Jun  7 22:29 ..
drwxr-xr-x 3 user10 user10 3 Jun  7 21:59 plex


Every time I create a new directory inside /mnt/default, an ACL is attached to it. How can I stop this behaviour? By default, the correct permissions are attached to the new directory, user10 owns it. For example, when I create the /mnt/default/software/config/test directory through an SMB mount, it attaches an ACL to it:
Code:
user10@uranus:/$ ls -lah /mnt/default/software/config/test
total 38K
drwxrwxr-x+ 2 user10 user10 2 Jun  7 22:42 .
drwxr-xr-x  4 user10 user10 4 Jun  7 22:42 ..

user10@uranus:/$ getfacl /mnt/default/software/config/test
getfacl: Removing leading '/' from absolute path names
# file: mnt/default/software/config/test
# owner: user10
# group: user10
user::rwx
user:user10:rwx
group::r-x
group:user10:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user10:rwx
default:group::rwx
default:group:user10:rwx
default:mask::rwx
default:other::r-x


If I cannot disable the current ACL behaviour, if I set it recursively through console, will it persist through a reboot?
 

Attachments

  • 1654654372631.png
    1654654372631.png
    37.8 KB · Views: 216

Daisuke

Contributor
Joined
Jun 23, 2011
Messages
1,041
@anodos I do write data through SMB from my Mac, as I store photos and videos taken with my Sony camera into nas. rsync was a one time thing, but this is the command I use (transfer from old to new nas):
Code:
rsync -pavW --progress user10@nas:/mnt/default/media/Photos* /mnt/default/media/


There are no ACLs present into new /mnt/default/media/Photos, I did a check after rsync transfer. Only when I create something through SMB mount from my Mac, I see ACLs defined. If I create a directory or file while directly logged into nas through ssh, there are no ACLs defined.
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
@anodos I do write data through SMB from my Mac, as I store photos and videos taken with my Sony camera into nas. rsync was a one time thing, but this is the command I use (transfer from old to new nas):
Code:
rsync -pavW --progress user10@nas:/mnt/default/media/Photos* /mnt/default/media/


There are no ACLs present into new /mnt/default/media/Photos, I did a check after rsync transfer. Only when I create something through SMB mount from my Mac, I see ACLs defined. If I create a directory or file while directly logged into nas through ssh, there are no ACLs defined.
Yeah, that's expected behavior over an SMB share. This is not a simple rsync since you're going through an SMB client that is converting POSIX permissions into an SMB ACL before sending it to the SMB server. It's not peeking behind the curtain and sending direct chmod request. We convert the NT ACL we receive into something sensible for the local FS. There's a checkbox for the SMB share to disable NT ACL support basically, but this also means that rsync can't preserve your original permissions (instead things will be written according to samba's create mask and directory mask). If you really need to preserve exactly the permissions that were on the origin FS, then you should probably use the rsync protocol.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Alternatively, you can set an appropriate ACL on the share in question and let the files inherit it as they are copied over. NFSv4 ACL type is probably most intuitive for this. Add some groups, grant them permissions, choose "BASIC: INHERIT" flags and write away.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
TL;DR, permissions over the SMB protocol are basically NT ACLs (with the exception of using SMB1 posix extensions, special NFS aces through Apple SMB extensions). When you're writing files with an application that wants to sync permissions it has to go through following process:

1) client converts local FS permissions to an NT ACL
2) client sends NT ACL to server
3) server converts NT ACL to an appropriate equivalent on the local FS

Really the only way to faithfully write an NT ACL to a local fs is to use either a native ZFS ACL (NFSv4-style) or a combination of POSIX ACL and xattr (if acltype is POSIX).

Once again, though, this does not pose a significant problem if you adjust to the mindset that you need to think through your share permissions and treat access to our SMB server like you would if you were performing rsync to a Windows server.
 
Last edited:

Daisuke

Contributor
Joined
Jun 23, 2011
Messages
1,041
There's a checkbox for the SMB share to disable NT ACL support
Right now I run the following SMB settings and ACL set to POSIX:

Screen Shot 2022-06-09 at 2.05.20 AM.png Screen Shot 2022-06-09 at 2.15.36 AM.png
Can I safely set the ACL type to Off? I get some warnings about the destructive nature of this change. Will this prevent from adding ACLs to each file/directory? I only access the nas files from my Mac.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Right now I run the following SMB settings and ACL set to POSIX:

View attachment 56008 View attachment 56009
Can I safely set the ACL type to Off? I get some warnings about the destructive nature of this change. Will this prevent from adding ACLs to each file/directory? I only access the nas files from my Mac.

It basically turns off ACL support at the dataset level. You will also need to turn it off within the SMB share (there is a checkbox for this). Note that your SMB client will effectively lose the ability to make any permissions changes over the SMB protocol at this point.

This is not guaranteed to work properly with all combinations of potential options (since some of these rely on 3rd party modules properly handling ACLs being disabled). The `acl` checkbox was added per customer request for a specific use-case.
 

Daisuke

Contributor
Joined
Jun 23, 2011
Messages
1,041
You will also need to turn it off within the SMB share (there is a checkbox for this)
You mean to set it to inherit, for any sub-datasets? I cannot see any option into SMB service, I attached the screenshots. The service has the Apple SMB2/3 protocol extensions enabled. On my Mac I don't do anything, it will automatically detect the SMB share and add it to Finder. Then, I enter the username and password I assigned to nas userid 1000, which is the same userid I login into my Mac.
 
Top