mv'ing file disables inheritance

Status
Not open for further replies.
NamoMitK

NamoMitK

Dabbler
Joined
Sep 3, 2015
Messages
28
I'm using CIFS and Windows permissions.

I have a folder where all of my files are downloaded to called Downloads. Permissions are set so only I (and my downloader user) have permission to use this folder. Once a download is complete it is moved automatically to another folder which has read and execute permissions for another group which access the share.

The moved file retains the permissions from the original parent and shows that Inheritance is disabled. If I move a file via Windows explorer, everything happens correctly. The issue is only when a file is moved within unix.

Anyway to tell 'mv' something like "resetAcl"?? <--- made up flag....

This is what getfacl shows for a file that is 'mv' from the Downloads folder to the Movies folder.
Code:
# file: Testing10/
# owner: namomitk
# group: cifsadmins
  group@:rwxpDdaARWcCo-:fd----:allow
  owner@:rwxpDdaARWcCo-:fd----:allow


This is what getfacl shows for a file that is 'cp' and then the original is 'rm'.
Code:
# file: FolderWithCorrectPerms/
# owner: namomitk
# group: cifsadmins
  group@:rwxpDdaARWcCo-:fd----:allow
  group:cifsusers:r-x---a-R-c---:fd----:allow
  owner@:rwxpDdaARWcCo-:fd----:allow


Since this is all automated scripted plugins (I didn't write) I don't want to go mucking around and change instances of mv with a cp/rm action if I can help it.
 
S

solarisguy

Guru
Joined
Apr 4, 2014
Messages
1,125
In my opinion, an easy to understand workaround would be to capture ACL of a file, move the file, apply ACL at the destination.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
solarisguy said:
In my opinion, an easy to understand workaround would be to capture ACL of a file, move the file, apply ACL at the destination.
Click to expand...
This. The problem is that many unix tools are not ACL-aware. Other alternatives are:
  • Test with mv with different datasets for the source and destination (I.e. mv /mnt/dataset1/foo /mnt/dataset2/). When you're going between datasets 'mv' automatically becomes 'cp' + 'rm' (because every dataset is a discrete filesystem).
  • Add a setfacl command to your script to add the required acl.
  • Use 'winacl" CLI tool to fix permissions after the fact.
  • Use 'mount_smbfs' to mount the destination share locally and run the script so that it goes through samba on the lo0 interface.
 
NamoMitK

NamoMitK

Dabbler
Joined
Sep 3, 2015
Messages
28
anodos said:
This. The problem is that many unix tools are not ACL-aware. Other alternatives are:
  • Test with mv with different datasets for the source and destination (I.e. mv /mnt/dataset1/foo /mnt/dataset2/). When you're going between datasets 'mv' automatically becomes 'cp' + 'rm' (because every dataset is a discrete filesystem).
  • Add a setfacl command to your script to add the required acl.
  • Use 'winacl" CLI tool to fix permissions after the fact.
  • Use 'mount_smbfs' to mount the destination share locally and run the script so that it goes through samba on the lo0 interface.
Click to expand...

Argh .... =( Was hoping to avoid the overhead of copying large files >10GB to a different dataset.
I imagine mount_smbfs would have the same type of overhead.

Any examples of using winacl/setfacl you could provide? I've been digging around trying to figure out how I'm going to do this.

I've also thought maybe creating a wrapper for the mv command and export to path. This way it would run getfacl/setfacl or something on the file once it's moved to that folder using a Sample file with the right perms.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
NamoMitK said:
Argh .... =( Was hoping to avoid the overhead of copying large files >10GB to a different dataset.
I imagine mount_smbfs would have the same type of overhead.

Any examples of using winacl/setfacl you could provide? I've been digging around trying to figure out how I'm going to do this.

I've also thought maybe creating a wrapper for the mv command and export to path. This way it would run getfacl/setfacl or something on the file once it's moved to that folder using a Sample file with the right perms.
Click to expand...
Perhaps we can try attacking this from another angle.

(1) add an ACE on the source share for "cifsusers" with read and execute permissions
then
(2) add the following auxiliary parameter to your share config for the source share: "valid users = @cifsadmins"

The "valid users" parameter overrides the ACLs that you set on the share.
 
Status
Not open for further replies.

Similar threads

B
SMB share and inherited ACLs
Replies
2
Views
2K
bozho
B
panz
  • Locked
Permissions, extended ACLs and Plex Jail (getfacl)
Replies
2
Views
4K
panz
panz
E
SOLVED Can't access NFS home directory/dataset
Replies
2
Views
3K
Elegant
E
F
  • Locked
acl inheritance flags of setfacl
Replies
2
Views
5K
freenasbbs
F
C
  • Locked
CIFS: Share content not browsable (Access denied) for user in group with change permissons
Replies
1
Views
1K
dlavigne
D
Top