NFSv4 ACLs - deny owner write ACL permission

A

anodos

owner@ is always allowed to write ACLs as a foot-shooting protection mechanism. Sometimes I really want to shoot my foot.

In samba with "zfsacl" enabled and "nfs4:mode = simple", owner@ roughly corresponds with "creator-owner". There are times when I'm wearing my windows/samba admin hat that I want to limit the ability of non-admin users (including "creator-owner") to modify permissions in a share. At present, I don't believe there's a way to do this in FreeBSD, even using the command setfacl -m owner@:C:fd:deny /path/to/share

Does anyone have a workaround for this?
 
Did you ever figure out how to solve this? I am also interested in how to prevent owner@ from being able to modify ACLs. I see that this fix exists for ZFS on Solaris-based systems, however the .zfs/shares directory does not seem to exist on OpenZFS. How else can owner@ be prevented from being able to modify ACLs?
 
SirDice said:
https://docs.oracle.com/cd/E23823_01/html/819-5461/gbace.html
Click to expand...

I am aware of this, but on Solaris ZFS, you can follow these instructions to change the ACL set for everyone@ to modify_set, which prevents owners from modifying the ACLs on files they own:
Code: 
/usr/bin/chmod A=\
user:root:full_set:-------:allow,\
everyone@:modify_set:-------:allow \
/zroot/datasets/example/.zfs/shares/example

However, OpenZFS does not appear to have the .zfs/shares directory so I cannot apply this same solution on OpenZFS-based systems.


SirDice said:
Simplest solution, change the ownership of the files. If the user doesn't own the file he/she can't change the ACL.
Click to expand...

Right, but how do I allow users to create files over NFSv4 but prevent them from owning the files they create?
 
You must log in or register to reply here.
Back
Top