There are some key elements missing from the presented Oracle document clip.
e.g.
*The primary rules of ACL access on a ZFS file follow:
*ZFS processes ACL entries in the order they are listed in the ACL, from
the top down.
*Only ACL entries that have a "who" that matches the requester of the
access are processed.
*After an allow permission has been granted, it cannot be denied by a
subsequent ACL deny entry in the same ACL permission set.
*The owner of a file is granted the write_acl permission unconditionally,
even if the permission is explicitly denied. Otherwise, any permission left
unspecified is denied.
*In cases of deny permissions or when an access permission for a file is
missing, the privilege subsystem determines what access request is granted for
the owner of the file or for superuser. This mechanism prevents owners of files
from getting locked out of their files and enables superuser to modify files
for recovery purposes.
ACLs are processed primarily on the explicit entries first. Any explicit ACE
will be acted on and will override an inherited one. This follows Microsoft
defined rules for processing ACLs. The statement indicating "who" matches is
the key definition of explicit. So in the case of an inherited permission the
explicit deny will have precedence provided that the are no other explicit
allow ACEs processed before it.
http://technet.microsoft.com/en-us/library/cc783530(WS.10).aspx
-----Original Message-----
From: Gordon Ross [mailto:[email protected]]
Sent: Saturday, June 30, 2012 11:15 PM
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] Office apps unable to write to ZFS overCIFS
On Sat, Jun 30, 2012 at 7:00 PM, Martin Frost <[email protected]> wrote:
> Thanks to all for the replies. The Oracle Solaris documentation here:
>
> http://docs.oracle.com/cd/E19253-01/819-5461/ftyxi/index.html
>
> says:
>
> The primary rules of ACL access on a ZFS file follow:
>
> * ZFS processes ACL entries in the order they are listed
> in the ACL, from the top down.
>
> * After an allow permission has been granted, it cannot be denied
> by a subsequent ACL deny entry in the same ACL permission set.
Interesting. That's not how MS defined the ACL evaluation algorithm.
I thought the point of NFSv4/ZFS ACLs was to be Windows compatible, so I wonder
if this was an intentional difference or an accident? (bug)
--
Gordon Ross <[email protected]>
Nexenta Systems, Inc. www.nexenta.com
Enterprise class storage for everyone
_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
