ZFS ACL/chmod interactions in Solaris 11
Oracle finally shipped Solaris 11. I’m guessing not many will be excited about it, since Oracle isn’t (I think) trying to get mind share for Solaris 11. But I’m excited about one thing: improved interactions between ACL and chmod in ZFS. The examples given in Oracle’s docs are instructive
What this basically means is that a filesystem object’s mode acts as a mask on the object’s ACL, with the mask (mode) re-computed from the ACL whenever the ACL is modified, and the ACL masked whenever it is read. Changing the mode merely changes the mask and thus the effective ACL. The masking behavior is dead simple to avoid DENY ACEs because DENY ACEs are evil: the mask simply reduces the permissions of ALLOW ACEs.
You might ask why DENY ACEs are evil. The answer has two parts. First, DENY ACEs with group subjects are evil because it’s difficult to ensure that all nodes where the ACL will be evaluated will see complete group memberships for the subject user, thus DENY ACEs with group subjects may fail to achieve their goal, and when they do they will do so silently — clearly a very bad thing. Second, Windows’ ACL GUI always sorts the ACL so DENY ACEs come first, which means that any masking algorithm that depends on interleaving ALLOW and DENY ACEs will be wrecked. In particular, if any DENY ACEs generated by a masking algorithm would deny the file’s owner access, then the situation becomes extremely confusing and painful for the user. And the Windows GUI will set the sorted ACL if you click OK! This used to be a problem with the old aclmode=groupmask behavior that was removed by the time Solaris 11 Express shipped.
One consequence of the new aclmode=mask behavior is that changing the ACL is a lossy operation when the object’s mode has been changed be a more restrictive mode since the last time the ACL was set. What is lost is the permissions bits that have been masked by that new mode, such that changing the mode back to a more permissive mode will not restore those lost permissions bits. In terms of the example given in the Oracle docs, if the ACL is modified between the chmod 640 and chmod 770 operations, then the chmod 770 operation will not restore any ACE permission bits. I think this is likely not to be a big deal for users in general. In terms that would be familiar to users accustomed to POSIX Draft ACL semantics: there is no mask entry as such, with the mode acting as the mask entry and ACL changes resulting in the mode being recomputed.
I hope users will like this new aclmode=mask setting. Users accustomed to POSIX Draft ACL semantics should feel right at home, though they’ll also note the lossiness I mention above. I’d love to get some feedback on this new feature in ZFS. I believe users will be generally happy with aclmode=mask, but I’d like to know for sure!