CORE: how to enable ACL inheritance with setfacl?

Exhorder · April 26, 2024, 9:57am

Hi,

on CORE I’ve got following directory structure:
TEST/sub1
TEST/sub2

I want to set new ACL with setfacl:

# reset ACL
setfacl -R -b -x everyone@:::allow TEST

# add new ACL
setfacl -m g:somegroup:full_set:fd:allow TEST

The ACL are applied to TEST, but not inherited to sub1 and sub2. When I create another subfolder sub3 it has the inherited ACL.

How do I enable inheritance on existing sub folders?

EDIT: I can enable inheritance on the sub folders on the SMB share on Windows with icacls.exe TEST\sub1\ /inheritance:e

Davvo · April 26, 2024, 10:02am

Why aren’t you setting the ACL by the WebUI?

Exhorder · April 26, 2024, 10:54am

Because I’m doing this automated with a script.

awalkerix · April 26, 2024, 11:19am

You can use the middleware APIs in scripts. If you do that then your work will be mostly future-proof (and compatible with CORE – if you need that).

Exhorder · April 29, 2024, 12:27pm

Not sure if using the middleware API solves my issue, but I doubt it.

So far the results of my testings are:

Proper handling of inheritance like on Windows or Synology seems not be possible with setfacl. You can only apply permissions recursively, which has the same effect for most use cases.
When changing permissions later again, make sure to apply them recursively again. Using the Windows permissions editor may be error prone, but this is no issue for me because I’m always using my script to apply permissions.

BTW: Synology uses a selfmade tool (synoacltool) to set inheritance and some patched chmod to apply permissions.

Another possibility to handle inheritance is using samba:

# enable inheritance on a single folder/file
smbcacls --user my/admin //localhost/share TEST/sub1 --inherit=allow

# set some permission and propagate them to subfolders that have inheritance enabled
smbcacls --user my/admin //localhost/share TEST --set='ACL:my\usergroup:ALLOWED/OI|CI/FULL' --propagate-inheritance

awalkerix · April 29, 2024, 12:37pm

Yes, it can handle inheritance. Some basic inheritance is in CORE, and if you want full windows-style behavior (with evaluation of ACL auto-inheritance flags during recursive operations) you can use SCALE.

Exhorder · April 29, 2024, 12:53pm

A question: How does Scale handle the ACL?
AFAIK Linux does not support the NFSv4 (Windows) ACL: NFS4 ACL overview - SambaWiki

awalkerix · April 29, 2024, 1:25pm

We support it natively via ZFS (the same way it’s supported on FreeBSD). Just load up a SCALE VM, create a dataset with NFSv4 ACL type and an SMB share pointing at it.