ACLs not working with "mfsmount -o mfsacl /mnt/lizardfs"

[tyler274]

mounted system with "mfsmount -o mfsacl /mnt/lizardfs"

If I make a directory as root /mnt/lizardfs/testdir and use "setfacl -Rm u:tyler274:rwx /mnt/lizardfs/testdir" I am still unable to touch a file to the directory.

[richard-scott]

I had to do this to get non-root users to be able to write to my mount point:

echo "* / rw,maproot=0:0" >/etc/mfs/mfsexports.cfg

See if that helps?

[tyler274]

@richard-scott Didn't seem to change anything. all users can write to /mnt/lizardfs but if for example, root creates a folder named "testacl" at "/mnt/lizardfs/testdir" and I run "setfacl -Rm u:tyler274:rwx /mnt/lizardfs/testdir" I am still unable to touch a file to testdir due to permissions denied.

[richard-scott]

Did you mount the volume with the "mfsacl" flag?

[tyler274]

@richard-scott the specific command used was "mfsmount -o mfsacl /mnt/lizardfs"

[richard-scott]

lol, my bad. I missed that one ;-)
BTW do you have SELinux enabled?

[tyler274]

@richard-scott Don't believe I do, running latest Arch and haven't gone through any steps to enable it.

[4Dolio]

Cant find it atm, but there is an export option to ignoregid i think. Look for and try that...

[tyler274]

@4Dolio issues #265 and #295

just adding the ignoregid value such that my mfsexports.cfg file is

# mfsexports.cfg(5)
# Allow everything but "meta".
127.0.0.1                       /       rw,alldirs,maproot=0,ignoregid

# Allow "meta".
127.0.0.1                       .       rw

I unmounted the cluster with umount /mnt/lizardfs
Restarted the master server with systemctl restart lizardfs-master
remounted with mfsmount -o mfsacl,mfsdebug /mnt/lizardfs

checked that the acls are there with getfacl /mnt/lizardfs/testacl/
which returns

user::rwx
user:tyler274:rwx
group::r-x
mask::rwx
other::r-x

attempting to touch a file (testfile) to that directory from my user shows

getattr (1)
lookup (1,test)
getattr (15484)
lookup (15484,testfile)
status: ENOENT (No such file or directory)
lookup (15484,testfile)
status: ENOENT (No such file or directory)

and on the user end a permission denied error.

[4Dolio]

Yes per issue #265 what you have done should be working. The only difference i see is that my mfsexports.cfg has rw,alldirs,ignoregid,maproot=0 so my ignoregid and maproot are inverted compared to yours, but I can't imagine that should matter.

Some tests with my 2.6.0 seem to work fine:
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ sudo mkdir acl_test_dir
normaluser@lfs-us-courses7:/lfs-us-courses/shares/courses/ACL_Tests$ ls -la .
drwxr-xr-x 2 root root 0 Mar 7 18:55 acl_test_dir
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ touch acl_test_dir/basic_acl
touch: cannot touch acl_test_dir/basic_acl: Permission denied
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ setfacl -Rm u:normaluser:rwx acl_test_dir/
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ touch acl_test_dir/add_owner_acl
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ setfacl -b acl_test_dir/
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ touch acl_test_dir/add_group_acl
touch: cannot touch acl_test_dir/add_group_acl: Permission denied
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ sudo setfacl -Rm g:1182:rwx acl_test_dir/ normaluser is member of 1182
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ touch acl_test_dir/add_group_acl
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ rm acl_test_dir/add_group_acl
normaluser@lfs-debian-client:/LizardFS/ACL_Tests$ setfacl -b acl_test_dir/

[richard-scott]

What Linux Distro are you using?
How did you install the Lizard Packages?

[tyler274]

@richard-scott
Arch Linux
via this script https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=lizardfs
from https://aur.archlinux.org/packages/lizardfs/

[richard-scott]

ah, Arch Linux, don't know what distro yet ;-(
I looked at it once, but Debian installed easier and it was more stable for my needs.
I thought you may have installed packages for Debian from here, and that is not the best source for the .debs.

[pbeza]

Note that -o mfsacl is now deprecated. ACL support is enabled by default. If you still have any problem with this issue, please reopen it.

[baby-gnu]

Hello.

I'm testing on Ubuntu with lizardfs 3.12.0+dfsg-1 and I still have ACL issue.

I'm testing with the command sudo -u foo ls /mnt/test-lizard:

• Doing setfacl -m user:foo:rx /mnt/test-lizard fail
• Doing chown foo /mnt/test-lizard works

This should be reopened.

Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.3 LTS
Release:	18.04
Codename:	bionic

[pbeza]

@baby-gnu ACLs were fixed in #816 after releasing 3.12. Fix will be released in 3.13.

Are you able test this patch?

[baby-gnu]

@pbeza thanks, I'm doing a rough backport to 3.12 to test on my test machine.

[baby-gnu]

It's not working with the following patch

--- a/src/mount/fuse/main.cc
+++ b/src/mount/fuse/main.cc
@@ -111,6 +111,13 @@
 		(void)conn;
 #endif
 
+#if FUSE_VERSION >= 30
+	fuse_conn_info_opts *conn_opts = (fuse_conn_info_opts *)userdata;
+	fuse_apply_conn_info_opts(conn_opts, conn);
+	conn->want |= FUSE_CAP_POSIX_ACL;
+	conn->want &= ~FUSE_CAP_ATOMIC_O_TRUNC;
+#endif
+
 	int *piped = (int*)userdata;
 	if (piped[1]>=0) {
 		char s = 0;

Because the libfuse is 2.9.7 and not 3 :-/

[pbeza]

AFAIR I had really hard time trying to solve this problem for FUSE 2.9. AFAIK supporting ACL in FUSE < 3 is/was supported by applying this and this patch to Linux kernel (it was written by our ex-developer @lalek ~5 years ago)...

Maybe it's worth trying to backport/install fuse3?

[baby-gnu]

@pbeza thanks for all the informations.

It was an experiment to fix Samba SYSVOL replication.

I think we will wait for fuse3 to arrive in the next Ubuntu (since our work is based on that) but I note that buster can use it ;-)

Regards.