Error [EPERM] Filesystem permissions when assigning ACL

DarkCorner · May 7, 2024, 2:20pm

With TrueNAS 24.4, In a pool named “Work” I have these datasets:

Work (Pool)
- Master-Folder
- - Shared-Folder
- - Group1
- - Group2
- - Group3

I then have these user groups

NAS-Admin
Master-Manager
Shared-Group
Group1
Group2
Group3

NAS-Admin has Full Control Permissions on Master-Folder and child datasets.
Master-Manager has Modify Permissions on Master-Folder and child datasets.

Now I would like to assign Modify Permissions on the respective 4 datasets to the 4 groups.

So,

I add an Item
Who = Group
Group = Name of the group
Permission = Modify
Apply permission recursively = on
Click on “Save Access Control List”

“Updating ACL” starts and then the error appears

[EPERM] Filesystem permissions on path /mnt/Work/Master-Folder prevent access for group “Group1” to the path /mnt/Work/Master-Folder/Group1. This may be fixed by granting the aforementioned group execute permissions on the path: /mnt/Work/Master-Folder.

The owner of the datasets is always “root” and I created them with a user who belongs to the “builtin_administrators” group.

Where am I doing wrong?

awalkerix · May 7, 2024, 2:49pm

You are granting access for “Group1” to the path /mnt/Work/Master-Folder/Group1 but you have explicitly cut its legs out from under it by your ACL on /mnt/Work/Master-Folder. We raise a validation error because there is no possible way that this ACL entry will work properly.

awalkerix · May 7, 2024, 2:50pm

As is case for all unix-like operatings systems (and windows in some cases), removing EXECUTE / TRAVERSE on a parent path prevents access.

DarkCorner · May 7, 2024, 3:37pm

I don’t remember how I configured the ACLs in the previous version of TrueNAS, but it’s not unusual for there to be a Family folder, with the Dad, Mom, Son1, Son2 folders underneath.
Folders with separate rights.
What ACL should I give to Family so I don’t cut my legs off in subfolders?

awalkerix · May 7, 2024, 3:41pm

Depends on ACL type. The easiest solution if using NFSv4 ACL type is to simply grant (non-recursively), everyone@ TRAVERSE rights with NO_INHERIT set on each parent directory (e.g. /mnt/Work/Master-Folder).

DarkCorner · May 7, 2024, 4:39pm

To be honest, I didn’t understand what to do.
With the latest version of TrueNas everything seemed simpler, but even rereading the documentation I didn’t understand what the steps are to create a tree of subfolders with different rights.
Now I have deleted the 5 folders and I will try to create them again.