sunhux
asked on
Solaris 10's setfacl on a ufs file gave Operation Not Applicable
Revisiting above EE thread. I just tested on a text file created on a ufs /var/tmp
on our Solaris 10 x86:
What's the cause? Can provide an exact sample command including
one to be applied on a directory so that when new logfiles get created
in it, the ACL is auto-inherited. We have no plan to use zfs.
I've given up on logging a case with Oracle for this & read various
Oracle-related links: seen mnttab & swapfs won't work but I'm on ufs:
https://it.toolbox.com/question/setacl-error-operation-not-applicable-082313
If setfacl won't work on UFS, kindly propose alternate solutions (maybe
a 3rd party freewares) that could grant fine-grained equivalent controls
on UFS files/folders.
ACLs are supposed to fulfill 'need-to' basis or 'least privilege principle'
so that we don't have to grant an entire group read access or 'others'
(ie Everyone) read access. Need to enable selected Oracle & web
app logfiles to be readable to certain non-root application team member
on our Solaris 10 x86:
# setfacl -s u::7,g::4,o:0,mask:6,u:a_Unix_id:4 test.dat
test.dat: failed to set acl entries
setacl error: Operation not applicable
What's the cause? Can provide an exact sample command including
one to be applied on a directory so that when new logfiles get created
in it, the ACL is auto-inherited. We have no plan to use zfs.
I've given up on logging a case with Oracle for this & read various
Oracle-related links: seen mnttab & swapfs won't work but I'm on ufs:
https://it.toolbox.com/question/setacl-error-operation-not-applicable-082313
If setfacl won't work on UFS, kindly propose alternate solutions (maybe
a 3rd party freewares) that could grant fine-grained equivalent controls
on UFS files/folders.
ACLs are supposed to fulfill 'need-to' basis or 'least privilege principle'
so that we don't have to grant an entire group read access or 'others'
(ie Everyone) read access. Need to enable selected Oracle & web
app logfiles to be readable to certain non-root application team member
After entering the below, noticed you had a type in the o:0 as possibly the cause for the error
try the following
setfacl -s u::7,g::4,o::0 test.dat
setfacl mask:6,u:a_Unix_id:4 test.dat
try the following after the correction replacing o:0 with o::0
setfacl -s u::7,g::4,o::0,mask:6,u:a_
try the following
setfacl -s u::7,g::4,o::0 test.dat
setfacl mask:6,u:a_Unix_id:4 test.dat
try the following after the correction replacing o:0 with o::0
setfacl -s u::7,g::4,o::0,mask:6,u:a_
ASKER
1st set of info:
-------------------
# getfacl /var/tmp/test.dat
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
#
# getfacl /tmp/test.dat
# file: test.dat
# owner: root
# group: root
user::rw-
group::r-- #effective:r--
mask:rwx
other:r--
#
# who am i
root pts/2 Jul 26 18:41 (172.31.7.10)
#
# mount | grep -i var
/var on rpool/ROOT/s10x_u11wos_24a/var read/write/setuid/devices/rstchown/nonbmand/exec/xattr/atime/dev=2d50003 on Mon Dec 23 07:47:55 2019
/var/run on swap read/write/setuid/devices/rstchown/xattr/dev=4d00003 on Mon Dec 23 07:47:55 2019
#
# setfacl
usage:
setfacl [-r] -f aclfile file ...
setfacl [-r] -d acl_entries file ...
setfacl [-r] -m acl_entries file ...
setfacl [-r] -s acl_entries file ...
#
# uname -a
SunOS ctgbuw01v 5.10 Generic_147148-26 i86pc i386 i86pc
===============================================
2nd set of info:
-------------------
# setfacl -s u::7,g::4,o::0 test.dat
use only 1 colon for mask and other entries.
#
# setfacl -s u:7,g:4,o:0 test.dat
Can't find colon delimiter 7
# setfacl mask:6,u:psftp:4 test.dat <==psftp is an existing id
usage:
setfacl [-r] -f aclfile file ...
setfacl [-r] -d acl_entries file ...
setfacl [-r] -m acl_entries file ...
setfacl [-r] -s acl_entries file ...
# setfacl -s u::7,g::4,o::0,mask:6,u:psftp:4 /var/tmp/test.dat
use only 1 colon for mask and other entries.
# setfacl -s u:7,g:4,o:0,mask:6,u:psftp:4 /var/tmp/test.dat
Can't find colon delimiter 7
# setfacl -s u::7,g::4,o::0,mask:6,u:jbpsftp:4 /tmp/test.dat
use only 1 colon for mask and other entries.
# setfacl -s u:7,g:4,o:0,mask:6,u:psftp:4 /tmp/test.dat
Can't find colon delimiter 7
..tested as requested ..
-------------------
# getfacl /var/tmp/test.dat
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
#
# getfacl /tmp/test.dat
# file: test.dat
# owner: root
# group: root
user::rw-
group::r-- #effective:r--
mask:rwx
other:r--
#
# who am i
root pts/2 Jul 26 18:41 (172.31.7.10)
#
# mount | grep -i var
/var on rpool/ROOT/s10x_u11wos_24a/var read/write/setuid/devices/rstchown/nonbmand/exec/xattr/atime/dev=2d50003 on Mon Dec 23 07:47:55 2019
/var/run on swap read/write/setuid/devices/rstchown/xattr/dev=4d00003 on Mon Dec 23 07:47:55 2019
#
# setfacl
usage:
setfacl [-r] -f aclfile file ...
setfacl [-r] -d acl_entries file ...
setfacl [-r] -m acl_entries file ...
setfacl [-r] -s acl_entries file ...
#
# uname -a
SunOS ctgbuw01v 5.10 Generic_147148-26 i86pc i386 i86pc
===============================================
2nd set of info:
-------------------
# setfacl -s u::7,g::4,o::0 test.dat
use only 1 colon for mask and other entries.
#
# setfacl -s u:7,g:4,o:0 test.dat
Can't find colon delimiter 7
# setfacl mask:6,u:psftp:4 test.dat <==psftp is an existing id
usage:
setfacl [-r] -f aclfile file ...
setfacl [-r] -d acl_entries file ...
setfacl [-r] -m acl_entries file ...
setfacl [-r] -s acl_entries file ...
# setfacl -s u::7,g::4,o::0,mask:6,u:psftp:4 /var/tmp/test.dat
use only 1 colon for mask and other entries.
# setfacl -s u:7,g:4,o:0,mask:6,u:psftp:4 /var/tmp/test.dat
Can't find colon delimiter 7
# setfacl -s u::7,g::4,o::0,mask:6,u:jbpsftp:4 /tmp/test.dat
use only 1 colon for mask and other entries.
# setfacl -s u:7,g:4,o:0,mask:6,u:psftp:4 /tmp/test.dat
Can't find colon delimiter 7
..tested as requested ..
ASKER
https://docs.oracle.com/cd/E23824_01/html/821-1459/fsoverview-28729.html
Referencing above link,
# df -k |grep var
rpool/ROOT/s10x_u11wos_24a/var 205406208 13518671 76859555 15% /var
swap 2946100 40 2946060 1% /var/run
# fstyp /var
fstyp: </var> not block or character special device
#
#
# grep var /etc/vfstab
... <nothing was returned> ...
# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c1t0d0 <VMware -Virtual disk -1.0 cyl 26105 alt 2 hd 255 sec 63>
/pci@0,0/pci15ad,1976@10/sd@0,0
Specify disk (enter its number): 0
selecting c1t0d0
[disk formatted]
/dev/dsk/c1t0d0s0 is part of active ZFS pool rpool. Please see zpool(1M).
#
# fstyp /dev/rdsk/c1t0d0s0
zfs <== so are we on ZFS??
#
# cat /etc/default/fs
LOCAL=ufs <== Or are we on UFS??
So which filesystem type is /var/tmp on? Which fs type is setfacl supported??
# more /etc/vfstab
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
#
fd - /dev/fd fd - no -
/proc - /proc proc - no -
/dev/zvol/dsk/rpool/swap - - swap - no -
/devices - /devices devfs - no -
sharefs - /etc/dfs/sharetab sharefs - no -
ctfs - /system/contract ctfs - no -
objfs - /system/object objfs - no -
swap - /tmp tmpfs - yes -
Referencing above link,
# df -k |grep var
rpool/ROOT/s10x_u11wos_24a/var 205406208 13518671 76859555 15% /var
swap 2946100 40 2946060 1% /var/run
# fstyp /var
fstyp: </var> not block or character special device
#
#
# grep var /etc/vfstab
... <nothing was returned> ...
# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c1t0d0 <VMware -Virtual disk -1.0 cyl 26105 alt 2 hd 255 sec 63>
/pci@0,0/pci15ad,1976@10/sd@0,0
Specify disk (enter its number): 0
selecting c1t0d0
[disk formatted]
/dev/dsk/c1t0d0s0 is part of active ZFS pool rpool. Please see zpool(1M).
#
# fstyp /dev/rdsk/c1t0d0s0
zfs <== so are we on ZFS??
#
# cat /etc/default/fs
LOCAL=ufs <== Or are we on UFS??
So which filesystem type is /var/tmp on? Which fs type is setfacl supported??
# more /etc/vfstab
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
#
fd - /dev/fd fd - no -
/proc - /proc proc - no -
/dev/zvol/dsk/rpool/swap - - swap - no -
/devices - /devices devfs - no -
sharefs - /etc/dfs/sharetab sharefs - no -
ctfs - /system/contract ctfs - no -
objfs - /system/object objfs - no -
swap - /tmp tmpfs - yes -
tmp is tmpfs using the swap space.
This error is peculiar,
# getfacl test.dat
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
https://docs.oracle.com/cd/E86824_01/html/E54776/acl-5.html
https://docs.oracle.com/cd/E23823_01/html/819-5461/gbace.html
ZFS Trivial ACL only.
if not mistaken, /etc/defaults/fs does not reflect the configured file system,
look at partitions or you only have one?
This error is peculiar,
# getfacl test.dat
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
https://docs.oracle.com/cd/E86824_01/html/E54776/acl-5.html
https://docs.oracle.com/cd/E23823_01/html/819-5461/gbace.html
ZFS Trivial ACL only.
if not mistaken, /etc/defaults/fs does not reflect the configured file system,
look at partitions or you only have one?
ASKER
>look at partitions or you only have one?
Are u referring to 'df -k'? Output as below:
# df -k
Filesystem kbytes used avail capacity Mounted on
rpool/ROOT/s10x_u11wos_24a
205406208 11138420 76859081 13% / <= this is root
/devices 0 0 0 0% /devices
ctfs 0 0 0 0% /system/contract
proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
swap 2946000 996 2945004 1% /etc/svc/volatile
objfs 0 0 0 0% /system/object
sharefs 0 0 0 0% /etc/dfs/sharetab
/usr/lib/libc/libc_hwcap1.so.1
87997501 11138420 76859081 13% /lib/libc.so.1
fd 0 0 0 0% /dev/fd
rpool/ROOT/s10x_u11wos_24a/var
205406208 13518672 76859081 15% /var <= this is /var
swap 2961408 16404 2945004 1% /tmp
swap 2945044 40 2945004 1% /var/run
rpool/backup 205406208 63 76859081 1% /backup
rpool/cvs 205406208 24220015 76859081 24% /cvs
rpool/export 205406208 32 76859081 1% /export
rpool/export/home 205406208 14114385 76859081 16% /export/home
rpool/jrpa 205406208 58973267 76859081 44% /jrpapp1
rpool 205406208 42 76859081 1% /rpool
Are u referring to 'df -k'? Output as below:
# df -k
Filesystem kbytes used avail capacity Mounted on
rpool/ROOT/s10x_u11wos_24a
205406208 11138420 76859081 13% / <= this is root
/devices 0 0 0 0% /devices
ctfs 0 0 0 0% /system/contract
proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
swap 2946000 996 2945004 1% /etc/svc/volatile
objfs 0 0 0 0% /system/object
sharefs 0 0 0 0% /etc/dfs/sharetab
/usr/lib/libc/libc_hwcap1.so.1
87997501 11138420 76859081 13% /lib/libc.so.1
fd 0 0 0 0% /dev/fd
rpool/ROOT/s10x_u11wos_24a/var
205406208 13518672 76859081 15% /var <= this is /var
swap 2961408 16404 2945004 1% /tmp
swap 2945044 40 2945004 1% /var/run
rpool/backup 205406208 63 76859081 1% /backup
rpool/cvs 205406208 24220015 76859081 24% /cvs
rpool/export 205406208 32 76859081 1% /export
rpool/export/home 205406208 14114385 76859081 16% /export/home
rpool/jrpa 205406208 58973267 76859081 44% /jrpapp1
rpool 205406208 42 76859081 1% /rpool
getfacl even if you did not set enhanced ACL policies, shoukd still reflect the trivial, basic information. User, group, other mask and ownership.
Cd /
getfacl of any file there. If it is formatted as ufs, you shoukd be able to use setfacl to set enhanced ACLs.
Cd /
getfacl of any file there. If it is formatted as ufs, you shoukd be able to use setfacl to set enhanced ACLs.
ASKER
# cd /
# getfacl /nohup.out
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
#
# getfacl nohup.out
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
#
# ls -lad /nohup.out
-rw------- 1 root root 187 Sep 6 2017 /nohup.out
# file /nohup.out
/nohup.out: ascii text
# setfacl -s u::7,g::4,o::0,mask:6,u:psftp:4 /nohup.out
use only 1 colon for mask and other entries.
# setfacl -s u:7,g:4,o:0,mask:6,u:psftp:4 /nohup.out
Can't find colon delimiter 7
#
When you run getfacl the responce tells you everything you need.
The filesystem does not support enhanced ACL rules, meaning it is also zfs.
Ir better, not ufs or Linux.
Use format, select disk 0
Partition if not mistaken displays the partitions of the disk
The filesystem does not support enhanced ACL rules, meaning it is also zfs.
Ir better, not ufs or Linux.
Use format, select disk 0
Partition if not mistaken displays the partitions of the disk
ASKER
So after displaying the partitions, how would it help?
Is there any other alternate solution / freewares that I can use?
Is there any other alternate solution / freewares that I can use?
You are trying to implement enhanced ACL in a zfs filesystem.
Look at zfs upgrade
See which zfs filesystem you have.
Zfs upgrade -v
http://fibrevillage.com/storage/168-zfs-pool-zfs-datasets-and-zfs-volumes
Is this a VM you're using to learn?
Look at zfs upgrade
See which zfs filesystem you have.
Zfs upgrade -v
http://fibrevillage.com/storage/168-zfs-pool-zfs-datasets-and-zfs-volumes
Is this a VM you're using to learn?
ASKER
I'm testing on a UAT/test VM & if it works, will want to
implement ACLs on the Production Solaris x86 on
VMs as well).
What does the following lead us to?
# zfs upgrade -v
The following filesystem versions are supported:
VER DESCRIPTION
----- --------------------------------------------------------
1 Initial ZFS filesystem version
2 Enhanced directory entries
3 Case insensitive and File system unique identifier (FUID)
4 userquota, groupquota properties
5 System attributes
For more information on a particular version, including supported releases,
see the ZFS Administration Guide.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 123G 73.1G 42.5K /rpool
rpool/ROOT 23.5G 73.1G 31K legacy
rpool/ROOT/s10x_u11wos_24a 23.5G 73.1G 10.6G / <==
rpool/ROOT/s10x_u11wos_24a/var 12.9G 73.1G 12.9G /var <==
rpool/backup 63K 73.1G 63K /backup
rpool/cvs 23.1G 73.1G 23.1G /cvs
rpool/dump 2.00G 73.2G 2.00G -
rpool/export 13.5G 73.1G 32K /export
rpool/export/home 13.5G 73.1G 13.5G /export/home
rpool/jrpa 56.4G 73.1G 56.4G /jrpapp1
rpool/swap 4.25G 73.4G 4.00G -
# zfs get all rpool/ROOT/s10x_u11wos_24a
NAME PROPERTY VALUE SOURCE
rpool/ROOT/s10x_u11wos_24a type filesystem -
rpool/ROOT/s10x_u11wos_24a creation Mon Sep 4 13:32 2017 -
rpool/ROOT/s10x_u11wos_24a used 23.5G -
rpool/ROOT/s10x_u11wos_24a available 73.1G -
rpool/ROOT/s10x_u11wos_24a referenced 10.6G -
rpool/ROOT/s10x_u11wos_24a compressratio 1.00x -
rpool/ROOT/s10x_u11wos_24a mounted yes -
rpool/ROOT/s10x_u11wos_24a quota none default
rpool/ROOT/s10x_u11wos_24a reservation none default
rpool/ROOT/s10x_u11wos_24a recordsize 128K default
rpool/ROOT/s10x_u11wos_24a mountpoint / local
rpool/ROOT/s10x_u11wos_24a sharenfs off default
rpool/ROOT/s10x_u11wos_24a checksum on default
rpool/ROOT/s10x_u11wos_24a compression off default
rpool/ROOT/s10x_u11wos_24a atime on default
rpool/ROOT/s10x_u11wos_24a devices on default
rpool/ROOT/s10x_u11wos_24a exec on default
rpool/ROOT/s10x_u11wos_24a setuid on default
rpool/ROOT/s10x_u11wos_24a readonly off default
rpool/ROOT/s10x_u11wos_24a zoned off default
rpool/ROOT/s10x_u11wos_24a snapdir hidden default
rpool/ROOT/s10x_u11wos_24a aclmode discard default
rpool/ROOT/s10x_u11wos_24a aclinherit restricted default
rpool/ROOT/s10x_u11wos_24a canmount noauto local
rpool/ROOT/s10x_u11wos_24a shareiscsi off default
rpool/ROOT/s10x_u11wos_24a xattr on default
rpool/ROOT/s10x_u11wos_24a copies 1 default
rpool/ROOT/s10x_u11wos_24a version 5 -
rpool/ROOT/s10x_u11wos_24a utf8only off -
rpool/ROOT/s10x_u11wos_24a normalization none -
rpool/ROOT/s10x_u11wos_24a casesensitivity mixed -
rpool/ROOT/s10x_u11wos_24a vscan off default
rpool/ROOT/s10x_u11wos_24a nbmand off default
rpool/ROOT/s10x_u11wos_24a sharesmb off default
rpool/ROOT/s10x_u11wos_24a refquota none default
rpool/ROOT/s10x_u11wos_24a refreservation none default
rpool/ROOT/s10x_u11wos_24a primarycache all default
rpool/ROOT/s10x_u11wos_24a secondarycache all default
rpool/ROOT/s10x_u11wos_24a usedbysnapshots 0 -
rpool/ROOT/s10x_u11wos_24a usedbydataset 10.6G -
rpool/ROOT/s10x_u11wos_24a usedbychildren 12.9G -
rpool/ROOT/s10x_u11wos_24a usedbyrefreservation 0 -
rpool/ROOT/s10x_u11wos_24a logbias latency default
rpool/ROOT/s10x_u11wos_24a sync standard default
rpool/ROOT/s10x_u11wos_24a rekeydate - default
rpool/ROOT/s10x_u11wos_24a rstchown on default
#
# zfs get all rpool/ROOT/s10x_u11wos_24a/var
NAME PROPERTY VALUE SOURCE
rpool/ROOT/s10x_u11wos_24a/var type filesystem -
rpool/ROOT/s10x_u11wos_24a/var creation Mon Sep 4 13:32 2017 -
rpool/ROOT/s10x_u11wos_24a/var used 12.9G -
rpool/ROOT/s10x_u11wos_24a/var available 73.1G -
rpool/ROOT/s10x_u11wos_24a/var referenced 12.9G -
rpool/ROOT/s10x_u11wos_24a/var compressratio 1.00x -
rpool/ROOT/s10x_u11wos_24a/var mounted yes -
rpool/ROOT/s10x_u11wos_24a/var quota none default
rpool/ROOT/s10x_u11wos_24a/var reservation none default
rpool/ROOT/s10x_u11wos_24a/var recordsize 128K default
rpool/ROOT/s10x_u11wos_24a/var mountpoint /var inherited from rpool/ROOT/s10x_u11wos_24a
rpool/ROOT/s10x_u11wos_24a/var sharenfs off default
rpool/ROOT/s10x_u11wos_24a/var checksum on default
rpool/ROOT/s10x_u11wos_24a/var compression off default
rpool/ROOT/s10x_u11wos_24a/var atime on default
rpool/ROOT/s10x_u11wos_24a/var devices on default
rpool/ROOT/s10x_u11wos_24a/var exec on default
rpool/ROOT/s10x_u11wos_24a/var setuid on default
rpool/ROOT/s10x_u11wos_24a/var readonly off default
rpool/ROOT/s10x_u11wos_24a/var zoned off default
rpool/ROOT/s10x_u11wos_24a/var snapdir hidden default
rpool/ROOT/s10x_u11wos_24a/var aclmode discard default
rpool/ROOT/s10x_u11wos_24a/var aclinherit restricted default
rpool/ROOT/s10x_u11wos_24a/var canmount noauto local
rpool/ROOT/s10x_u11wos_24a/var shareiscsi off default
rpool/ROOT/s10x_u11wos_24a/var xattr on default
rpool/ROOT/s10x_u11wos_24a/var copies 1 default
rpool/ROOT/s10x_u11wos_24a/var version 5 -
rpool/ROOT/s10x_u11wos_24a/var utf8only off -
rpool/ROOT/s10x_u11wos_24a/var normalization none -
rpool/ROOT/s10x_u11wos_24a/var casesensitivity mixed -
rpool/ROOT/s10x_u11wos_24a/var vscan off default
rpool/ROOT/s10x_u11wos_24a/var nbmand off default
rpool/ROOT/s10x_u11wos_24a/var sharesmb off default
rpool/ROOT/s10x_u11wos_24a/var refquota none default
rpool/ROOT/s10x_u11wos_24a/var refreservation none default
rpool/ROOT/s10x_u11wos_24a/var primarycache all default
rpool/ROOT/s10x_u11wos_24a/var secondarycache all default
rpool/ROOT/s10x_u11wos_24a/var usedbysnapshots 0 -
rpool/ROOT/s10x_u11wos_24a/var usedbydataset 12.9G -
rpool/ROOT/s10x_u11wos_24a/var usedbychildren 0 -
rpool/ROOT/s10x_u11wos_24a/var usedbyrefreservation 0 -
rpool/ROOT/s10x_u11wos_24a/var logbias latency default
rpool/ROOT/s10x_u11wos_24a/var sync standard default
rpool/ROOT/s10x_u11wos_24a/var rekeydate - default
rpool/ROOT/s10x_u11wos_24a/var rstchown on default
#
implement ACLs on the Production Solaris x86 on
VMs as well).
What does the following lead us to?
# zfs upgrade -v
The following filesystem versions are supported:
VER DESCRIPTION
----- --------------------------------------------------------
1 Initial ZFS filesystem version
2 Enhanced directory entries
3 Case insensitive and File system unique identifier (FUID)
4 userquota, groupquota properties
5 System attributes
For more information on a particular version, including supported releases,
see the ZFS Administration Guide.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 123G 73.1G 42.5K /rpool
rpool/ROOT 23.5G 73.1G 31K legacy
rpool/ROOT/s10x_u11wos_24a 23.5G 73.1G 10.6G / <==
rpool/ROOT/s10x_u11wos_24a/var 12.9G 73.1G 12.9G /var <==
rpool/backup 63K 73.1G 63K /backup
rpool/cvs 23.1G 73.1G 23.1G /cvs
rpool/dump 2.00G 73.2G 2.00G -
rpool/export 13.5G 73.1G 32K /export
rpool/export/home 13.5G 73.1G 13.5G /export/home
rpool/jrpa 56.4G 73.1G 56.4G /jrpapp1
rpool/swap 4.25G 73.4G 4.00G -
# zfs get all rpool/ROOT/s10x_u11wos_24a
NAME PROPERTY VALUE SOURCE
rpool/ROOT/s10x_u11wos_24a type filesystem -
rpool/ROOT/s10x_u11wos_24a creation Mon Sep 4 13:32 2017 -
rpool/ROOT/s10x_u11wos_24a used 23.5G -
rpool/ROOT/s10x_u11wos_24a available 73.1G -
rpool/ROOT/s10x_u11wos_24a referenced 10.6G -
rpool/ROOT/s10x_u11wos_24a compressratio 1.00x -
rpool/ROOT/s10x_u11wos_24a mounted yes -
rpool/ROOT/s10x_u11wos_24a quota none default
rpool/ROOT/s10x_u11wos_24a reservation none default
rpool/ROOT/s10x_u11wos_24a recordsize 128K default
rpool/ROOT/s10x_u11wos_24a mountpoint / local
rpool/ROOT/s10x_u11wos_24a sharenfs off default
rpool/ROOT/s10x_u11wos_24a checksum on default
rpool/ROOT/s10x_u11wos_24a compression off default
rpool/ROOT/s10x_u11wos_24a atime on default
rpool/ROOT/s10x_u11wos_24a devices on default
rpool/ROOT/s10x_u11wos_24a exec on default
rpool/ROOT/s10x_u11wos_24a setuid on default
rpool/ROOT/s10x_u11wos_24a readonly off default
rpool/ROOT/s10x_u11wos_24a zoned off default
rpool/ROOT/s10x_u11wos_24a snapdir hidden default
rpool/ROOT/s10x_u11wos_24a aclmode discard default
rpool/ROOT/s10x_u11wos_24a aclinherit restricted default
rpool/ROOT/s10x_u11wos_24a canmount noauto local
rpool/ROOT/s10x_u11wos_24a shareiscsi off default
rpool/ROOT/s10x_u11wos_24a xattr on default
rpool/ROOT/s10x_u11wos_24a copies 1 default
rpool/ROOT/s10x_u11wos_24a version 5 -
rpool/ROOT/s10x_u11wos_24a utf8only off -
rpool/ROOT/s10x_u11wos_24a normalization none -
rpool/ROOT/s10x_u11wos_24a casesensitivity mixed -
rpool/ROOT/s10x_u11wos_24a vscan off default
rpool/ROOT/s10x_u11wos_24a nbmand off default
rpool/ROOT/s10x_u11wos_24a sharesmb off default
rpool/ROOT/s10x_u11wos_24a refquota none default
rpool/ROOT/s10x_u11wos_24a refreservation none default
rpool/ROOT/s10x_u11wos_24a primarycache all default
rpool/ROOT/s10x_u11wos_24a secondarycache all default
rpool/ROOT/s10x_u11wos_24a usedbysnapshots 0 -
rpool/ROOT/s10x_u11wos_24a usedbydataset 10.6G -
rpool/ROOT/s10x_u11wos_24a usedbychildren 12.9G -
rpool/ROOT/s10x_u11wos_24a usedbyrefreservation 0 -
rpool/ROOT/s10x_u11wos_24a logbias latency default
rpool/ROOT/s10x_u11wos_24a sync standard default
rpool/ROOT/s10x_u11wos_24a rekeydate - default
rpool/ROOT/s10x_u11wos_24a rstchown on default
#
# zfs get all rpool/ROOT/s10x_u11wos_24a/var
NAME PROPERTY VALUE SOURCE
rpool/ROOT/s10x_u11wos_24a/var type filesystem -
rpool/ROOT/s10x_u11wos_24a/var creation Mon Sep 4 13:32 2017 -
rpool/ROOT/s10x_u11wos_24a/var used 12.9G -
rpool/ROOT/s10x_u11wos_24a/var available 73.1G -
rpool/ROOT/s10x_u11wos_24a/var referenced 12.9G -
rpool/ROOT/s10x_u11wos_24a/var compressratio 1.00x -
rpool/ROOT/s10x_u11wos_24a/var mounted yes -
rpool/ROOT/s10x_u11wos_24a/var quota none default
rpool/ROOT/s10x_u11wos_24a/var reservation none default
rpool/ROOT/s10x_u11wos_24a/var recordsize 128K default
rpool/ROOT/s10x_u11wos_24a/var mountpoint /var inherited from rpool/ROOT/s10x_u11wos_24a
rpool/ROOT/s10x_u11wos_24a/var sharenfs off default
rpool/ROOT/s10x_u11wos_24a/var checksum on default
rpool/ROOT/s10x_u11wos_24a/var compression off default
rpool/ROOT/s10x_u11wos_24a/var atime on default
rpool/ROOT/s10x_u11wos_24a/var devices on default
rpool/ROOT/s10x_u11wos_24a/var exec on default
rpool/ROOT/s10x_u11wos_24a/var setuid on default
rpool/ROOT/s10x_u11wos_24a/var readonly off default
rpool/ROOT/s10x_u11wos_24a/var zoned off default
rpool/ROOT/s10x_u11wos_24a/var snapdir hidden default
rpool/ROOT/s10x_u11wos_24a/var aclmode discard default
rpool/ROOT/s10x_u11wos_24a/var aclinherit restricted default
rpool/ROOT/s10x_u11wos_24a/var canmount noauto local
rpool/ROOT/s10x_u11wos_24a/var shareiscsi off default
rpool/ROOT/s10x_u11wos_24a/var xattr on default
rpool/ROOT/s10x_u11wos_24a/var copies 1 default
rpool/ROOT/s10x_u11wos_24a/var version 5 -
rpool/ROOT/s10x_u11wos_24a/var utf8only off -
rpool/ROOT/s10x_u11wos_24a/var normalization none -
rpool/ROOT/s10x_u11wos_24a/var casesensitivity mixed -
rpool/ROOT/s10x_u11wos_24a/var vscan off default
rpool/ROOT/s10x_u11wos_24a/var nbmand off default
rpool/ROOT/s10x_u11wos_24a/var sharesmb off default
rpool/ROOT/s10x_u11wos_24a/var refquota none default
rpool/ROOT/s10x_u11wos_24a/var refreservation none default
rpool/ROOT/s10x_u11wos_24a/var primarycache all default
rpool/ROOT/s10x_u11wos_24a/var secondarycache all default
rpool/ROOT/s10x_u11wos_24a/var usedbysnapshots 0 -
rpool/ROOT/s10x_u11wos_24a/var usedbydataset 12.9G -
rpool/ROOT/s10x_u11wos_24a/var usedbychildren 0 -
rpool/ROOT/s10x_u11wos_24a/var usedbyrefreservation 0 -
rpool/ROOT/s10x_u11wos_24a/var logbias latency default
rpool/ROOT/s10x_u11wos_24a/var sync standard default
rpool/ROOT/s10x_u11wos_24a/var rekeydate - default
rpool/ROOT/s10x_u11wos_24a/var rstchown on default
#
The docs on ACL's on ZFS.
https://docs.oracle.com/cd/E18752_01/html/819-5461/ftyxi.html
Your aclmode is discard...
rpool/ROOT/s10x_u11wos_24a/var aclmode discard default
discard – All ACL entries are removed except for the entries needed to define the mode of the file or directory.
You may want groupmask, or passthrough.
(See: https://docs.oracle.com/cd/E18752_01/html/819-5461/gbacb.html#gbaax )
Also u option needs a username so u::..) same for group with groupname (g::) other has no name association so: o:, same for mask:
try: setfacl -s u::7,g::4,o:0,mask:6,u:psftp:4 /nohup.out
To set the file owner user access to: rwx (u::7). file owner group r (g::4) and psftp user to r as well (u:psftp:4), with no access for other (o:0) and mask to rw (mask:6).
https://docs.oracle.com/cd/E18752_01/html/819-5461/ftyxi.html
Your aclmode is discard...
rpool/ROOT/s10x_u11wos_24a/var aclmode discard default
discard – All ACL entries are removed except for the entries needed to define the mode of the file or directory.
You may want groupmask, or passthrough.
(See: https://docs.oracle.com/cd/E18752_01/html/819-5461/gbacb.html#gbaax )
Also u option needs a username so u::..) same for group with groupname (g::) other has no name association so: o:, same for mask:
try: setfacl -s u::7,g::4,o:0,mask:6,u:psftp:4 /nohup.out
To set the file owner user access to: rwx (u::7). file owner group r (g::4) and psftp user to r as well (u:psftp:4), with no access for other (o:0) and mask to rw (mask:6).
Use getfacl on any file on the production environment to see whether it has enhanced ACL even available inte....
@arnold it has been provided: from (https://www.experts-exchange.com/questions/29189577/Solaris-10's-setfacl-on-a-ufs-file-gave-Operation-Not-Applicable.html#a43129270)
1st set of info:
-------------------
# getfacl /var/tmp/test.dat
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
#
# getfacl /tmp/test.dat
# file: test.dat
# owner: root
# group: root
user::rw-
group::r-- #effective:r--
mask:rwx
other:r--
#ASKER
Noci, below is the result:
# setfacl -s u::7,g::4,o:0,mask:6,u:psftp:4 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
Let me know what's next to test or if there's alternate
freewares for Solaris 10 x86 equivalent of ACL
# setfacl -s u::7,g::4,o:0,mask:6,u:psftp:4 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
Let me know what's next to test or if there's alternate
freewares for Solaris 10 x86 equivalent of ACL
Correct: you disabled ACL's (aclmode=discard) on the zfs (not ufs) volume.
so setfacl -s u::7,g::4,o:0,mask:6 /nohup.out might work (not sure if mask is considered part of a more elaborate ACL..)
setfacl -s u::7,g::4,o:0 /nohup.out should work.
i think you need aclmode=passthrough for different usernames, although aclmode=groupmask may work.
(I have no access to solaris systems anymore, so i can't verify, Oracle declared Solaris dead a few years ago so workload has been moved elsewhere).
so setfacl -s u::7,g::4,o:0,mask:6 /nohup.out might work (not sure if mask is considered part of a more elaborate ACL..)
setfacl -s u::7,g::4,o:0 /nohup.out should work.
i think you need aclmode=passthrough for different usernames, although aclmode=groupmask may work.
(I have no access to solaris systems anymore, so i can't verify, Oracle declared Solaris dead a few years ago so workload has been moved elsewhere).
@noci,
Pkease note the asker is testing using Setfacl for a purpose to later on use in production.
This is why I asked whether the existing production environment has enhanced ACL available there or the same process to enable ACL in this test has to be expanded and implemented on the production side.
Pkease note the asker is testing using Setfacl for a purpose to later on use in production.
This is why I asked whether the existing production environment has enhanced ACL available there or the same process to enable ACL in this test has to be expanded and implemented on the production side.
ASKER
# pwd
/
# ls -lad /nohup.out
-rw------- 1 root root 187 Sep 6 2017 /nohup.out
# setfacl -s u::7,g::4,o:0,mask:6 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
# setfacl -s u::7,g::4,o:0,mask:6 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
#
# pwd
/
# ls -lad /nohup.out
-rw------- 1 root root 187 Sep 6 2017 /nohup.out
# setfacl -s u::7,g::4,o:0,mask:6 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
#
#
# setfacl -s u::7,g::4,o:0 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
/
# ls -lad /nohup.out
-rw------- 1 root root 187 Sep 6 2017 /nohup.out
# setfacl -s u::7,g::4,o:0,mask:6 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
# setfacl -s u::7,g::4,o:0,mask:6 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
#
# pwd
/
# ls -lad /nohup.out
-rw------- 1 root root 187 Sep 6 2017 /nohup.out
# setfacl -s u::7,g::4,o:0,mask:6 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
#
#
# setfacl -s u::7,g::4,o:0 /nohup.out
/nohup.out: failed to set acl entries
setacl error: Operation not applicable
sununix, are you doing this on the test system or on the production?
The prior posts and Noci's pointed out the system on which you are running, acl is disabled on the ZFS.
If memory serves, I think this is your test system.
Confirm using getfacl which will not make any changes it will jast confirm whether ACL is available on the production system where you wish to implement these after your tests.
getfacl meerely checks the file permissions including extended information of a file.
The point of this question is not to go down a rabbit hole where the environment might not allow/permitt the ZFS change needed to use extended/enhanced ACLs.
The prior posts and Noci's pointed out the system on which you are running, acl is disabled on the ZFS.
If memory serves, I think this is your test system.
Confirm using getfacl which will not make any changes it will jast confirm whether ACL is available on the production system where you wish to implement these after your tests.
getfacl meerely checks the file permissions including extended information of a file.
The point of this question is not to go down a rabbit hole where the environment might not allow/permitt the ZFS change needed to use extended/enhanced ACLs.
ASKER
@arnold, I only have access to UAT/test Solaris systems & all
outputs I've posted all these while is from the UAT VM.
Colleague who has access to Production told me the UAT & Prod's
Solaris settings are the same.
>Confirm using getfacl
I've been issuing getfacl in above postings & yes, I'm fully aware
getfacl will not make any change to the system.
>you disabled ACL's (aclmode=discard) on the zfs (not ufs) volume.
So do advise the exact commands/steps to enable ACL on zfs
outputs I've posted all these while is from the UAT VM.
Colleague who has access to Production told me the UAT & Prod's
Solaris settings are the same.
>Confirm using getfacl
I've been issuing getfacl in above postings & yes, I'm fully aware
getfacl will not make any change to the system.
>you disabled ACL's (aclmode=discard) on the zfs (not ufs) volume.
So do advise the exact commands/steps to enable ACL on zfs
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Even after changing the aclmode from 'discard' to 'passthru', still getting
the messages posted (in earlier threads) when issuing setfacl & getfacl:
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 123G 73.0G 42.5K /rpool
rpool/ROOT 23.5G 73.0G 31K legacy
rpool/ROOT/s10x_u11wos_24a 23.5G 73.0G 10.6G /
rpool/ROOT/s10x_u11wos_24a/var 12.9G 73.0G 12.9G /var
rpool/backup 63K 73.0G 63K /backup
rpool/cvs 23.1G 73.0G 23.1G /cvs
rpool/dump 2.00G 73.0G 2.00G -
rpool/export 13.5G 73.0G 32K /export
rpool/export/home 13.5G 73.0G 13.5G /export/home
rpool/app 56.5G 73.0G 56.5G /app1
rpool/swap 4.25G 73.3G 4.00G -
#
# zfs set aclmode=passthrough rpool/ROOT/s10x_u11wos_24a
# zfs set aclmode=passthrough rpool/ROOT/s10x_u11wos_24a/var
# zfs set aclmode=passthrough rpool/export/home
# zfs set aclmode=passthrough rpool/export
# zfs set aclmode=passthrough rpool/app
the messages posted (in earlier threads) when issuing setfacl & getfacl:
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 123G 73.0G 42.5K /rpool
rpool/ROOT 23.5G 73.0G 31K legacy
rpool/ROOT/s10x_u11wos_24a 23.5G 73.0G 10.6G /
rpool/ROOT/s10x_u11wos_24a/var 12.9G 73.0G 12.9G /var
rpool/backup 63K 73.0G 63K /backup
rpool/cvs 23.1G 73.0G 23.1G /cvs
rpool/dump 2.00G 73.0G 2.00G -
rpool/export 13.5G 73.0G 32K /export
rpool/export/home 13.5G 73.0G 13.5G /export/home
rpool/app 56.5G 73.0G 56.5G /app1
rpool/swap 4.25G 73.3G 4.00G -
#
# zfs set aclmode=passthrough rpool/ROOT/s10x_u11wos_24a
# zfs set aclmode=passthrough rpool/ROOT/s10x_u11wos_24a/var
# zfs set aclmode=passthrough rpool/export/home
# zfs set aclmode=passthrough rpool/export
# zfs set aclmode=passthrough rpool/app
Please see the link I posted, the change in the aclmode does not enable the enhanced ACL features.
It seems to deal with permission inheritances.
Why did you not continue through the end of the prior post that dealt with potentially altering the acltype.
Make sure you check what the current acltype is before changing it. This is so you know the starting point to check on the production side.
It seems to deal with permission inheritances.
Why did you not continue through the end of the prior post that dealt with potentially altering the acltype.
Make sure you check what the current acltype is before changing it. This is so you know the starting point to check on the production side.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> until the asker gets a response to a getfacl
getfacl wont work; found "ls -dv filename" is whats needed.
I got it working without changing aclmode/anything:
chmod A+user:userX:read_data:allow dir/*
chmod A+user:userX:read_data/execute:file_inherit/dir_inherit:allow dir
Cant use setfacl & getfacl
getfacl wont work; found "ls -dv filename" is whats needed.
I got it working without changing aclmode/anything:
chmod A+user:userX:read_data:allow dir/*
chmod A+user:userX:read_data/execute:file_inherit/dir_inherit:allow dir
Cant use setfacl & getfacl
chmod is BASIC (aka non-acl) protection. to allow multiple users access to the same file (by fine grained groups etc.) then this will not work to your expectations.
If you can use chmod / chown / umask then those are not acl's, just owner, group & file protection.
If you can use chmod / chown / umask then those are not acl's, just owner, group & file protection.
noci, that is true, and getfacl/setfacl provides a more granular control.
one thing to try is to see whether the last link I posted can be used on the system in this case to set a more granular file access rules.
i.e. the chmod in the environment can set permissions beyond the default owner, group, world settings,
but can as the link suggests that using chmod you can add indicidual users and groups with specific attributes.
ZFS does not seem to accept enhanced ACL attributes on this system
one thing to try is to see whether the last link I posted can be used on the system in this case to set a more granular file access rules.
i.e. the chmod in the environment can set permissions beyond the default owner, group, world settings,
but can as the link suggests that using chmod you can add indicidual users and groups with specific attributes.
ZFS does not seem to accept enhanced ACL attributes on this system
getfacl test.dat
Who am I
Mount , settings on the partition.
Might be misreading, but your designation for other :0 and mask::6 might be the cause of conflict or the two user designations
It might help if you say what is the ACL change you want to make.
Your setfacl is a replacement, versus modification.
You could add what you want first, the. Remove the ones you do not want.