Posix ACLs (on ZFS) | Alt255 Blog

February 5, 2017

Posix ACLs (on ZFS)

This started out with having installed several programs within a LXC container, all running under separate user accounts that need to access a shared data pool. Growing tired of manually flipping permission bit so that the programs could all work together, I wanted a way to ensure that files created by one program could both be renamed and moved by another program (running as a different user).

Turns out that POSIX ACLs provided what I needed: going beyond the standard user/group/other UNIX permission model, POSIX ACLs allow you to define additional user or group permissions. For example, instead of giving an entire group read/write permission over a file, ACLs allow you to specify a particular user that has read/write permissions (in addition to the file owner).

In my case, I wanted all files written to a particular directory to automatically become modifiable by all users in a specific group. POSIX ACLs allow for the specification of a default directory ACL. This is different from the traditional UNIX directory sticky bit (which allows all users to create directory entries) in that you can effectively extend read/write permissions to additional users as if they were the owner.

ZFS detour

The directory where I’d like to have shared permissions is on ZFS. By default, Linux ZFS doesn’t have POSIX ACLs enabled. However, it quite easy and quick to enable.

ZFS defines ACLs on pools via the acltype property. POSIX ACLs are enabled by setting acltype=posixacl.

In reference to posixacl, the Linux zfs man page suggests:

To obtain the best performance when setting posixacl users are strongly encouraged to set the xattr=sa property.

When describing the xattr property, ZFS man page states:

The key advantage of this type of xattr is improved performance. Storing xattrs as system attributes significantly decreases the amount of disk IO required. […] The use of system attribute based xattrs is strongly encouraged for users of SELinux or Posix ACLs. Both of these features heavily rely of xattrs and benefit significantly from the reduced xattr access time.

Improved performance? Sure, let’s sprinkle that all over the place…

Enable Posix ACLs with:

   $ zfs set xattr=sa vpool/media
   $ zfs set acltype=posixacl vpool/media

Well, that was easy.

Back to POSIX ACLs on Linux…

Make sure the acl package is installed:

$ sudo apt-get install acl

The getfacl program lists ACLs on a file or directory. For example, here we list the permissions of the current directory using ls and see the u=rwx,g=rx,o=rx permission bits.

$  ls -ld .
drwxr-xr-x 64 jburke jburke 140 Feb  4 18:02 .

getfacl gives more verbose output:

$ getfacl .
# file: .
# owner: jburke
# group: jburke

To enable the media group to automatically have read, write, and execute permissions to new directory entries, we use the setfacl program:

$ setfacl -d -m g:media:rwx .

$ getfacl .
# file: .
# owner: jburke
# group: media

Notice the default:group:media line indicating that the media group has rwx permission by default.

For my immediate goals, this was mission accomplished: new files and directories created would automatically have read/write/execute permissions to all members of the media group.

Once I was satisfied that ACLs were working as needed on my test directory, I used getfacl and setfacl to transfer the setings to another directory. One feature of setfacl is reading ACLs from stdin:

$ getfacl srcdir | setfacl -R --set-file=- dstdir


Note that default ACLs applied to a directory do not affect the contents in the directory which already exists.