"no inherit" notion

P

Paul042020

Contributor
Joined
May 4, 2020
Messages
119
Hello,

I'm looking for a little explanation about the "no inherit" parameter when configuring ACLs.
I have done many tests and spent a lot of time to understand how ACLs work and how to set them on my SMB share.
However, I have some difficulties with the "inherit / no inherit" notion.
I understand that when you set the flag to "no inherit" on an ACL (group or user), the permissions of this group/user are not reflected on any new file or directory.
What I don't understand is in which case to use this feature?
Do you have a typical application example(s)?

Indeed, if we give permissions to a user or group in a share, why would we not want to extend them to the files / directories in that share. It's like giving him permissions on one side and taking them away on the other.
I have a little trouble with this notion.

Regards
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
What if you have something like following two datasets mounted at following paths:

/mnt/dozer/SHARE
/mnt/dozer/SHARE/interns

You want to grant access for interns to read the contents of /mnt/dozer/SHARE/interns, but not have the possibility of granting inadvertent access to any new files created in /mnt/dozer/SHARE.

In this case, you'd grant 'interns' TRAVERSE permissions with NOINHERIT on /mnt/dozer/SHARE, and then MODIFY with INHERIT on /mnt/dozer/SHARE/interns.

Or in general the same use-case where you do the same in Windows. The concept / implementation of ACL inheritance has been around for as long as filesystem ACLs have exists IIRC.
 
P

Paul042020

Contributor
Joined
May 4, 2020
Messages
119
Hello,
Thank you I understand this typical application case. It is already clearer.
I have not been confronted with this configuration of dataset in dataset. All my datasets are in the root of the pool.

For example in Truenas, the pre-configured ACL "HOME" is defined as follows:
  • owner@ : allow - full control - inherit
  • group@ : allow - modify - no inherit
  • everyone@ : allow - traverse - no inherit

I now understand the "everyone" line, but I don't understand the "group@" line.
And I even find it dangerous, because here I did a test :
  • Dataset name : Home
  • Mode ACL : restricted
  • Case sensitivity : insensitive
  • owner user : gabin
  • owner group : cook
  • ACL preset "home" (see permissions upper)
The "cook" group members :
_ "dad" user
_ "mom" user
_ "gabin" user

Experience and results :
I logged in with each user (gabin, dad, mom). Each user has created a file.
None of the users see the files created by the other users.
Next :
the user "gabin" created the file "toto.txt" with the content "%%%".
When I connect with the user "papa", I do not see the file "toto.txt". The user "dad" can also create a file "toto.txt" with the content "###" without the system informing the user that a file with the same name already exists.
When I connect again with the user "gabin", the file "toto.txt" has disappeared, it does not exist anymore.
In fact, the file "toto.txt" created by the second user (dad) has replaced the file "toto.txt" initially created by "gabin".

The pre-configured "Home" ACL may be intended for a particular use (other than this one), but I don't understand the "no inherit" value set on the owner group.

Regards
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Paul042020 said:
Hello,
Thank you I understand this typical application case. It is already clearer.
I have not been confronted with this configuration of dataset in dataset. All my datasets are in the root of the pool.

For example in Truenas, the pre-configured ACL "HOME" is defined as follows:
  • owner@ : allow - full control - inherit
  • group@ : allow - modify - no inherit
  • everyone@ : allow - traverse - no inherit

I now understand the "everyone" line, but I don't understand the "group@" line.
And I even find it dangerous, because here I did a test :
  • Dataset name : Home
  • Mode ACL : restricted
  • Case sensitivity : insensitive
  • owner user : gabin
  • owner group : cook
  • ACL preset "home" (see permissions upper)
The "cook" group members :
_ "dad" user
_ "mom" user
_ "gabin" user

Experience and results :
I logged in with each user (gabin, dad, mom). Each user has created a file.
None of the users see the files created by the other users.
Next :
the user "gabin" created the file "toto.txt" with the content "%%%".
When I connect with the user "papa", I do not see the file "toto.txt". The user "dad" can also create a file "toto.txt" with the content "###" without the system informing the user that a file with the same name already exists.
When I connect again with the user "gabin", the file "toto.txt" has disappeared, it does not exist anymore.
In fact, the file "toto.txt" created by the second user (dad) has replaced the file "toto.txt" initially created by "gabin".

The pre-configured "Home" ACL may be intended for a particular use (other than this one), but I don't understand the "no inherit" value set on the owner group.

Regards
Click to expand...
This is specifically for SMB homes shares. pam_mkhomedir automatically generates subdirectories under this path and SMB access is basically chrooted into it. The mkdir op is performed as the user and so he or she needs write access to the parent dir.
 
You must log in or register to reply here.

Similar threads

P
can't access smb share
Replies
12
Views
6K
WN1X
WN1X
G
TrueNAS 13.0 U1.1 SMB/Sharing Issue/Help Needed
Replies
1
Views
1K
gwaitsi
G
irTwit
13.0-U1: Files Copied Through SMB Inherit Unexpected ACL Permissions
Replies
2
Views
2K
dust_bro
D
S
SMB - Account used from Windows machine
Replies
0
Views
863
sbeaudoin
S
aaronadams
  • Locked
Configuring a CIFS share with Unix ACLs to work with Windows
Replies
13
Views
11K
cyberjock
C
Top