[gpfsug-discuss] Enforce ACLs

Simon Thompson S.J.Thompson at bham.ac.uk
Wed May 15 10:13:30 BST 2019 

I *think* this behaviour depends on the file set setting ..

Check what "--allow-permission-change" is set to for the file set. I think it needs to be "chmodAndUpdateAcl"

Simon

On 15/05/2019, 09:55, "gpfsug-discuss-bounces at spectrumscale.org on behalf of Philipp.Rehs at uni-duesseldorf.de" <gpfsug-discuss-bounces at spectrumscale.org on behalf of Philipp.Rehs at uni-duesseldorf.de> wrote:

    Hello,
    
    we are using GPFS 4.2.3 and at the moment we are looking into acls and
    inheritance.
    
    I have the following acls on a directory:
    #NFSv4 ACL
    #owner:root
    #group:root
    special:owner@:rwxc:allow:FileInherit:DirInherit
     (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE
    (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
     (-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH
    (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
    
    special:group@:r-x-:allow:FileInherit:DirInherit
     (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE
    (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
     (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-
    )WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
    
    special:everyone@:----:allow:FileInherit:DirInherit
     (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-
    )READ_ACL  (-)READ_ATTR  (-)READ_NAMED
     (-)DELETE    (-)DELETE_CHILD (-)CHOWN        (-)EXEC/SEARCH (-
    )WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
    
    user:userABC:rwx-:allow:FileInherit:DirInherit
     (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE
    (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
     (X)DELETE    (X)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-
    )WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
    
    
    
    Then the user creates a new folder in this directory and it does not
    get the same acl but normal unix permissions.
    Is there any way to enforce the new permissions from the parent?
    
    Kind regards
     Philipp
    
    -- 
    Heinrich-Heine-Universität Düsseldorf
    Zentrum für Informations- und Medientechnologie
    Kompetenzzentrum für wissenschaftliches Rechnen und Speichern
    
    Universitätsstraße 1
    Gebäude 25.41
    Raum 00.51
    
    Telefon: +49-211-81-15557
    Mail: Philipp.Rehs at uni-duesseldorf.de

More information about the gpfsug-discuss mailing list