rsync or cp creates trivial ACLs on the destination

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

daisho

New Member
Apr 25, 2019
27
4
3
Is there a way to suppress this?

I mean so far as I see these (almost full rights for owner@, read_attr_set for group@ and everyone@) they will not really hamper with anything but with a bit of OCD that looks horrible in my neat designed group-based ACLs. Copying data onto the folders via SMB/Windows does not do that and just inherits what is configured in the parent folder.
(those trivial ACLs are not defined in the parent folder from where I copy or sync ...)

Reason is I wanted to copy all my stuff from one pool to another (some TB, so it would take some time for sure) and doing that via ZFS > Network > Workstation > Network > ZFS is kinda dumb, so I wanted to use something like rsync for that directly on the server.
 

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
If you want to copy files with ntfs4 ACL intact, you must use tools that are ntfs4 aware like /usr/bin/cp -p, tar or cpio. Rsync is not ntfs4 acl aware. With rsync you loose ntfs4 acls.
 
  • Like
Reactions: Evan

daisho

New Member
Apr 25, 2019
27
4
3
I saw in the options info of rsync that it also has parameters to preserve ACL, but the thing is I don't want to actually "preserve" the old ACLs because they are a mess and the new pool has nice pre-configured group access rights that I can assign to whoever user I create afterwards.

Currently I am copying via windows explorer from the workstation, unnecessarily slow - but it only adds the ACLs already in place by inheritance.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
I learnt something I had no idea about from @gea just now. That could be an easy mistake to make. Rsync is one of my go to tools. (Granted I don’t deal with file shares on daily basis and I assume those who do know these things already)
 

daisho

New Member
Apr 25, 2019
27
4
3
I also for the first time now learned about the inheritance-methods (pass-through, restricted, ...). I always saw it when checking my pools on the far right but never really gave it any notice.

For now I just copied all the data via my windows workstation as also cp tool did create those default ACLs. But maybe that's just because those are default ACLs always written when working on ZFS itself!? Anyway, as I didn't know any other tool to copy/sync files directly and had no time to investigate (old pool was already degraded and didn't want to buy a new disc) I just did it that way for now.

In general, working with ZFS ACL and file ownership is not the simplest thing in life in my opinion. At least napp-it has a quiet ok GUI for the most part for this, as doing everything on command line is rather horrible.
The only thing I miss in napp-it GUI is to set or delete ACLs recursively if files are already existing - that would help tremendously in a lot of cases.
 

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
You can recursively modify ACL either from Windows (ex as user root) or napp-it when you click on Filesystems > Folder ACL of a filesystem. Below the ACL listing there is an option "reset ACL" (with recursive as an option)
 

daisho

New Member
Apr 25, 2019
27
4
3
Oh well, shame on me. Didn't know that the reset does that (guessed it would reset to some default values). That is very handy to have!
 

daisho

New Member
Apr 25, 2019
27
4
3
You can recursively modify ACL either from Windows (ex as user root) or napp-it when you click on Filesystems > Folder ACL of a filesystem. Below the ACL listing there is an option "reset ACL" (with recursive as an option)
Hi,

I am working on a pretty new pool, ACL inherit/mode are passthrough/passthrough.

I set up the main folder with the ACL settings I wanted, then clicked on "rest ACL's", made sure "current folder" is selected in the drop-down, checked "recursive" option.
But instead of every sub-folder getting these new configured ACL settings, everything ended up with default permissions (owner@, group@, everyone@).

The ACL reset log just says:
initiate reset 10.12.2019, 08:49 56 s current-folder recursiv: /repository/nfs/Myfolder

Initial ACL settings configured by me usually looks like:
ACL User/ Group acl acl-set details inheritance type option

0 user:root rwxpdDaARWcCos full_set rd(acl,att,xatt) wr(acl,att,xatt,own) add(fi,sdir) del(yes,child) x, s file,dir,inherited allow delete
1 user:share rwxpdDaARWcCos full_set rd(acl,att,xatt) wr(acl,att,xatt,own) add(fi,sdir) del(yes,child) x, s file,dir,inherited allow delete
2 group:rdjosk r-x---a-R-c--s readxs_set rd(acl,att,xatt) x, s file,dir allow delete
3 group:wrjosk rwxpdDaARWc--s modify_set rd(acl,att,xatt) wr(att,xatt) add(fi,sdir) del(yes,child) x, s file,dir allow delete

Which I then want to propagate to all sub-folders (which works when copying files over via Windows share).
 

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
When you reset acl recursively to "current folder" you should see a message with the chmod commands like (current folder=b1/test in this example, user a and smb group test)

Code:
/usr/bin/chmod -Rf A=user:root:rwxpdDaARWcCos:fd-----:allow '/b1/test/a'
/usr/bin/chmod -Rf A1+user:a:rwxpdDaARWcCos:fd-----:allow '/b1/test/a'
/usr/bin/chmod -Rf A2+group:test:r-x---a-R-c--s:fd-----:allow '/b1/test/a'
A default permission set is the result of an ACL remove

btw.
Does the reset ACL works from Windows (SMB connect as root, set acl recursively)?
 

daisho

New Member
Apr 25, 2019
27
4
3
The page which updates after pressing ok shows indeed:
ACL_reset: initiate reset operation

/usr/bin/chmod -Rf A=user:root:rwxpdDaARWcCos:fd-----:allow '/repository/nfs/Keksi'

But doesn't update further.
After this try I saw that there was a root full permission afterwards (no default permissions).
So could it be that napp-it first removes all permissions and then add them as they are configured by the folder one by one (and it didn't finish for some reason)?

Does the command stop if you are logged out of the web session or should it continue in the background (btw, is it possible to set a different web session timeout)?

I fixed it for now by using windows share, but not sure if it works correctly using napp-it (19.06f I think)?
 

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
The "reset acl" is a foreground task.
Can you try Chrome? I have seen problems with Firefox on some longer running tasks. CGI timeout should not be a problem.