SMB share and inherited ACLs

bozho

Dabbler
Joined
Jan 2, 2019
Messages
19
Hi all,

I'm still learning about FreeNAS and I have the following scenario that I'm trying to figure out.

I've created a local user, bozho - mainly for non-root SSH access to FreeNAS and jails. The user is a member of bozho and wheel groups.

For testing purposes, I've created a dataset, test, with Windows permissions and created an SMB share with defaults. Running getfacl on it returns this (as expected):
Code:
# file: test
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow


Since the user bozho is a member of the group wheel, I can connect from Windows and create a file there. Running getfacl on it returns (again, as expected):
Code:
# file: test/a.txt
# owner: bozho
# group: wheel
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
         everyone@:r-x---a-R-c---:------I:allow


When I touch a file as root over SSH, the file has these permissions:
Code:
# file: test/b.txt
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
         everyone@:r-x---a-R-c---:------I:allow


If I use Windows explorer to add explicit full permissions to the user bozho on the test share and run getfacl again on both the directory and the files, I get these:
Code:
# file: test
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCo-:fd-----:allow
            group@:rwxpDdaARWcCo-:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
        user:bozho:rwxpDdaARWcCo-:fd-----:allow

# file: test/a.txt
# owner: bozho
# group: wheel
         user:root:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
            owner@:rwxpDdaARWcCo-:------I:allow

# file: test/b.txt
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
        user:bozho:rwxpDdaARWcCo-:------I:allow


It looks like if I'm setting explicit permissions for a user and that user is the owner of a file, the explicit ACL does not get set.

If I create another file after setting the explicit user permission on the share, it gets the expected permissions:
Code:
# file: test/c.txt
# owner: bozho
# group: wheel
            owner@:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
        user:bozho:rwxpDdaARWcCo-:------I:allow


If I then change ownership of a.txt to the root user, the files keeps its explicit root user permissions, but it doesn't get explicit bozho permissions:
Code:
# file: test/a.txt
# owner: root
# group: wheel
         user:root:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
            owner@:rwxpDdaARWcCo-:------I:allow


Is that expected? Is this a Windows problem? Is this how setting ACLs is supposed to work?

If I wanted to have a good control over explicit permissions, would it be a good idea to set share and file ownership to nobody:nobody by default?

Thank you!
 

bozho

Dabbler
Joined
Jan 2, 2019
Messages
19
It doesn't seem so.

I do get CREATOR OWNER and CREATOR GROUP entries on Windows, but the behaviour I see with a.txt is the same: if I'm adding an explicit inherited permission for bozho to the test directory, any files within already owned by me don't get the explicit ACL for bozho.

Any files created by me after adding the permission do get an explicit ACL for bozho
 
Top