Difficulty setting ACLs on the .zfs directory?

[Stilez]

I have a Samba share with ACLs used to control access to the files. There are two groups - let's call them "ordinary" and "admin" users - I want the admin users to be able to see and browse certain old snapshots, which I've set to be shown by default in ZFS properties, and removed from veto files in Samba (along with allowing wide links=yes in case it's a mountpoint issue). Right now the .zfs dir does show up (for all users) - but I can't use it over Samba because of two issues:

1. Cannot traverse even though permissions say it should be possible: getfacl shows that classical Unix permissions for all users include "r-x" on .zfs and .zfs/dataset, which should make .zfs and .zfs/snapshot traversable by anyone, but they don't seem to be traversable via Samba, even for users who can traverse and browse all other dirs in the share.
2. Difficulty setting ACLs on the .zfs dir: getfacl shows that I have ACLs set on the dataset itself, and on various dataset/.zfs/snapshot/{snapname} directories, but returns "Operation not permitted" when I try and set them on .zfs or .zfs/snapshot itself.

I need to get ACLs on the .zfs directory at a minimum, and to get permitted users able to browse it. What exactly is getfacl complaining about, and how can I work around it?

(As an aside, setfacl also - probably more reasonably :D - won't let me change ACLs on individual dataset/.zfs/snapshot/{snapname} directories, which stops me from fixing older snapshots created before I got ACLs set up. If I really want to fix the last of these in future, is there anything short of restoring each snap to a new pool one at a time, fixing ACLs, and resnapshotting on the new pool with the old name, that'll do it?)

Relevant getfacl results:

# file: /mnt/mypool/data/dataset1
# owner: root
# group: share_users
group:share_users_denied_access:rwxpDdaARWcCo-:fd-----:deny
owner@:rwxpDdaARWcCo-:fd-----:allow
group@:rwxpDdaARWcCo-:fd-----:allow

# file: /mnt/mypool/data/dataset1/.zfs/
# owner: root
# group: wheel
user::r-x
group::r-x
other::r-x

# file: /mnt/mypool/data/dataset1/.zfs/snapshot/
# owner: root
# group: wheel
user::r-x
group::r-x
other::r-x

# file: /mnt/mypool/data/dataset1/.zfs/snapshot/manual-snap_2018.03.04-04.45.00
# owner: root
# group: share_users
group:share_users_denied_access:rwxpDdaARWcCo-:fd-----:deny
owner@:rwxpDdaARWcCo-:fd-----:allow
group@:rwxpDdaARWcCo-:fd-----:allow

 

[m0nkey_]

Do not touch the .zfs directory.

The .zfs directory can be used by the previous versions (shadow copies) functionality: http://doc.freenas.org/11/sharing.html#configuring-shadow-copies

 

[Stilez]

Do not touch the .zfs directory.
The .zfs directory can be used by the previous versions (shadow copies) functionality: http://doc.freenas.org/11/sharing.html#configuring-shadow-copies

I am appreciative of the attempt to help, but I can't agree with you either as to safety, or alternatives:

1. This just cannot be technically correct as it's not required for data integrity/safety. .zfs is a container for mountpoints, the mounted objects are immutably read-only, ZFS doesn't need or have write permissions on the folder, at the absolute worst, care might be needed so that permissions don't restrict system processes reading/traversing the dir, but ACLs that only allow/deny ordinary user login accounts just aren't at all likely to be an issue, much less a severe issue.
2. Previous Versions/shadow_copy2 is not a good substitute for the functionality. It simply cannot find a file across uncertain locations or by searching on properties or regex name, rather than an exact single specific path. Wrong tool for all but simplest use-case. File search = right tool. Works in CLI, so harmless. Try over Samba = some unexplained error.
3. There are valid cases where it's useful to allow some users to browse/search broadly across snapshots, but prohibit others. The first of these follows from #2, the second follows from the fact that whenever some users might find a given access useful, it's quite possible there are other users who shouldn't have it.

First, there's absolutely no technical reason why these files cannot also be accessed by ordinary browsing in Samba, given that I can do it via the CLI (requires read/traverse only). It would be very helpful to be able to do it via Samba and not have to SSH in and drop into CLI for the task. So asking why a directory with world-permissions "r-x" is traversable in CLI but not in Samba (even with "wide links=yes" and veto files empty) seems completely reasonable.

There is really no obvious technical reason why one "shouldn't touch" .zfs to the extent of placing user/group ACLs on it, other than "most users shouldn't do things at this level". /.zfs/ doesn't have any write access in classic permissions. So the absolute worst that could happen is that some part of the system couldn't read/traverse them, which seems unlikely at best and is clearly trivially fixed/reversed at worst (if an ACL is capable of blocking something then clearly removing the ACL or granting an ACL permission is capable of restoring it to normality), but the basic concern seems unlikely. The snaps themselves are immutable-read-only so nothing done to a snapshot's mountpoint's grandparent folder will affect them. If there is some specific core functionality which would break if ACLs affecting a GUI-defined user - but not blocking system accounts - were set on .zfs, I'd be curious what it is.

Your last comment is more about tool suitability. "Previous Versions" is an extremely poor substitute. It works well, if you want a specific version of the file/folder with a specific path. It simply cannot do the job at all, if you need to do a search - especially a complex search. (For example, when one doesn't know where the desired previous version is, and perhaps there are multiple possible copies in different locations to be collated, or one wishes to pull a selection of files that meet certain criteria). Some examples: suppose you're trying to find any historic version of IMG_12345.jpg/jpeg (can't be sure which!) which was >= 1280x1024 pixels, and with luck was left in some folder or in .recycle when the original was lost. Or suppose you want to know what versions of a file you've ever had (CLI equivalent: find -x share -iregex 'pattern' -ls -exec sha1 {} \; > output.txt and then remove any duplicate hash entries). Suppose you even have an exact path (helpful!) but you want to find any old version of the file that had specific text such as a given sentence, expression or content-regex. Using a file search works for all of those, using previous versions is a dead loss. On CLI I can search through all versions current and snapshot, in any location, if needed - then come back in the morning, and it's found. With >2m files on the NAS from over 30 years and >1k snapshots, I've had to do that for important old files more than once, since files and folders moved around a lot over the decades. I'd like this to be possible via Windows based file search software, which it could trivially do... if .zfs were not having traversal issues.

 

[m0nkey_]

I don't think it's even possible to modify the ACLs on the .zfs directory. I suggested the previous versions method as it's already baked into FreeNAS and ready to use.

Looks like some work has been done on what you require: https://redmine.ixsystems.com/issues/27255

 

[Stilez]

I don't think it's even possible to modify the ACLs on the .zfs directory. I suggested the previous versions method as it's already baked into FreeNAS and ready to use.
Looks like some work has been done on what you require: https://redmine.ixsystems.com/issues/27255

Thanks @m0nkey_ .

That's especially and most - thank you for your understanding and grace. So many people would post a bunch of defensive (the classical dysfunctional forum thread: "I want to do X" -> "You shouldn't want to do X because it's bad" -> "That's not correct" -> ).

Your post shows that you understood and just went from there, and I really appreciate it.

I'm just out the door and will look more at that bug thread later. It looks very promising, especially the post which identifies a possible fix. I can't make out the status on it, or work on it (It's closed, there's an umbrella, but is anything happening?). Can you interpret, before any more is said?

 

[m0nkey_]

I can't make out the status on it, or work on it (It's closed, there's an umbrella, but is anything happening?). Can you interpret, before any more is said?

Looks like it'll be in the 11.2 release according to this umbrella.

 

[Stilez]

Looks like it'll be in the 11.2 release according to this umbrella.

That suggests two things:

1) The PR was merged into master on 30 Jan, before 11.1-U2 was released which I'm running. So either it's not in 11.1-U2 or if it is, it's not fully fixed the samba ACL/traversal issue. Can you figure out from github's info, whether or not that specific PR was included in 11.1-U2? Also regardless, it might be best to test it on my NAS, because if 11.2/nightlies do solve it then I'm reassured and if not, I will be able to let ix know before 11.2 goes out of the door. Can you help me figure a suitable installer or nightly version that certainly has this PR in it, for testing? I'm guessing that the process would be, save my config, disconnect the usual boot drive, install latest nightly on a spare boot drive, upload my config onto the nightly install and test .zfs traversal, then simply power down and go back to my current boot drive. Is that about right? (I could rollback in boot menu but this might feel more certain of not changing anything)

There aren't a lot of things that can cause a dir not to be browseable and AFAIK I've checked the things that might be at fault. Posted an issue #29373 to ask ix to recheck.

2) Separately, I still can't see what's preventing the .zfs directory itself from accepting ACLs being set on them. It's nothing to do with Samba because it's also the case in CLI using setfacl. It's not a snapshot, nor even a snapshot mountpoint, but a snapshot's mountpoint's grandparent directory. Is /mnt/somedataset/.zfs an ordinary dir, or some kind of special ZFS-pseudo-dir, link or mountpoint, that doesn't exist or accept ACLs in the same way other dirs do? I don't know FreeBSD/ZFS/stat sufficiently to figure this out. It doesn't seem to be that .zfs is read-only, because there's a very different "dir is read-only" error if that's the problem (you can see this if you try setting ACLs on an actual snapshot). So what exactly is causing setfacl to be unable to set ACLs on it, when it can set them on pretty much all other filing system inodes/vnodes? How can this be determined?

 

[m0nkey_]

I still can't see what's preventing the .zfs directory itself from accepting ACLs being set on them.

By design, the .zfs directory is read-only and permissions are inherited by the originating file. As far as I know, it's not possible to modify the ACLs within it.

If you want to grant a user to manipulate snapshots, mount them, etc., you need to use the zfs allow command to grant that ability.

https://www.freebsd.org/doc/handbook/zfs-zfs-allow.html

 

[Stilez]

By design, the .zfs directory is read-only and permissions are inherited by the originating file. As far as I know, it's not possible to modify the ACLs within it. If you want to grant a user to manipulate snapshots, mount them, etc., you need to use the zfs allow command to grant that ability.
https://www.freebsd.org/doc/handbook/zfs-zfs-allow.html

I think this might be a misunderstanding of the issue?

zfs allow is about delegating permissions to use zfs commands that manipulate snapshots. It doesn't have anything to do (AFAIK) with permission to browse and view them ordinarily, or search files in them/view their contents, which is handled by usual file permissions (subject to the 88 character mountpoint path limit). A user who executes cd /mnt/mypool ; find . -name 'snapshot' will be able to traverse to and view the /mnt/mypool/.zfs/snapshot dir and any contents of snapshots in it, if snaps are visible in ZFS and the containing dataset is not denied by permissions. They don't need delegated permissions for that.

To recap - the issues are:

1) A user who traverse and explore via CLI/SSH, can't traverse and explore the exact same dir using Samba (even with the same user/credentials). This can be fixed as described in redmine #29381 and I can confirm it's now working fine (as an aside the missing setting was zfsacl:expose_snapdir=true), but isn't obvious since it takes quite a few settings to do it.

2) The more serious issue is that unless you can set ACLs on .zfs, you can't specify that, of all the users allowed to access a given dataset (locally, via SSH, or via any other method), some are allowed to view and traverse the .zfs and .zfs/snapshot dirs, and view the list of snapshots, while others cannot view even the snapshot names (ie cannot list the contents of /.zfs/snapshot).

The crunch-point is that since snapshots are read-only, if old snapshots don't have the desired ACLs you can't do anything about it later (except for "everyone/no-one" type solutions which isn't helpful, or rebuild the pool snapshot at a time every time ACLs change, which is unreasonable). Furthermore it means you have no granularity: you have to to expose the snaps list to everyone or no-one which is quite undesirable. The simplest solution that can work would be that authorised users are allowed to to traverse to the snapshots and list them, but unauthorised users are prohibited from traversing to the snapshots or listing the /snapshot dir contents. But if you can't set ACLs on .zfs then you can't do that either. So setting ACLs on .zfs is quite important.

 

[anodos]

@Stilez, you resolved this issue by setting the share level auxiliary parameter zfsacl:expose_snapdir = true, correct?

 

[Stilez]

@Stilez, you resolved this issue by setting the share level auxiliary parameter zfsacl:expose_snapdir = true, correct?

Yes. It was already exposing .zfs in Samba on 11.1-U2 but not letting me navigate within it or get to individual snapshots either directly or by trying traversal/symlinks (even though these were all trouble-free in CLI). Andrew Walker asked me to test that setting. Samba then not only exposed the .zfs directory but allowed me to navigate within it, and into individual snapshots.