ACLs setting executable bit on files on NFS share

dalto · November 14, 2024, 9:15pm

I recently setup a TrueNAS Scale server and I am struggling a little with ACLs and file permissions.

I have a dataset created as multiprotocol that I share via SMB and NFS.

I have assigned ACLs. I am using a Linux machine to connect the share(s).

When I connect via SMB, all works as I expect. But when I connect via NFS and create any files, they are marked executable.

Is there something I need to do to stop that from happening? Ideally, they would not be executable unless I specifically requested that permission.

dalto · November 14, 2024, 9:17pm

I can’t edit my own post since I am new user but it is worth noting that I am running ElectricEel-24.10.0.2.

Glorious1 · November 14, 2024, 9:28pm

Back in the old CORE-only days, the simultaneous sharing of data by SMB and NFS, both with write access, was strongly discouraged. Has that changed? I have a large dataset shared by both, but the NFS access is read-only. It works great, even still in SCALE 24.10.0.2

I stay as far away from ACLs as possible. They are the devil’s pitchforks.

dalto · November 14, 2024, 9:34pm

The behavior is the same even if I remove the SMB share.

I am fairly certain it has something to do with the way the ACLs are configured by default. I have another dataset that has POSIX permissions and that works as expected over NFS.

Glorious1 · November 14, 2024, 10:03pm

It’s possible that the combined sharing has already done it’s damage, even after removing the SMB share. But why not remove both, and re-set it up like your other dataset? Avoid ACLs

dalto · November 14, 2024, 10:17pm

In this case, I need ACLs. POSIX permissions are not sufficient to represent the permissions.

dalto · November 16, 2024, 8:24pm

OK, I found a solutions for this problem in case anyone comes across this issue in the future.

You can create separate ACLs for files and directories. That way you can exclude executable from files explicitly

This requires duplicating every permission which has write access. This is not much fun from an ongoing maintenance perspective.

If anyone finds a better way, please let me know.

Evan123 · July 6, 2025, 1:00am

If you set aclinherit=passthrough-x the executable permission will not be set.

Once you are happy with the setting, for the existing files you can find -type f -print0 | xargs -0 chmod a-x to clear the executable flag.

On e.g. macOS files with executable bit show as programs in Finder so it’s not great that the executable flag is set by default. I filed a bug that aclinherit is not available in the UI but it was closed as a feature request. It is easy enough to set by hand.