Project

General

Profile

Bug #48184

Avatar?id=27674&size=50x50

Change dataset aclmode before trying to change permissions

Added by Ryan McCullough 10 months ago. Updated 6 months ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Here is my configuration:
FreeNAS 11.2 (BETA3)
12-bay Supermicro CSE-826A-R1200LPB
2x 920Watt Power Supply PWS-920P-1R Platinum
Supermicro X9DRi-LN4F+
  • 2x Intel Xeon E5-2620 v1 HEx (6) Core @ 2.0GHz
  • 4x Intel® i350 GbE controller
  • 32GB ECC PC3-10600
    32GB SATADOM (boot drive)
    2x LSI 9210-8i
    9 x 2TB SAS 6GB/S Hitachi GST ULTRASTAR

I am trying to set the permissions of a dataset to "world writeable". I am allowed to select this in the Web UI (with the recursive option selected), and save without errors. However, I then bring the edit permissions page back up and the changes are not saved or reflected in shell. I was able to make this change on a different dataset and it saved successfully and is reflected in shell and GUI.

Note that the user is applied, but the world-writeable bit is not.

I tried to generate a debug file, but it seemed to timeout.


Related issues

Copied to FreeNAS - Bug #57366: Change dataset aclmode before trying to change permissionsDone

History

#1 Updated by Dru Lavigne 10 months ago

  • Private changed from No to Yes
  • Reason for Blocked set to Need additional information from Author

Ryan: please reproduce then attach a debug (System -> Advanced -> Save debug) to this ticket to assist the dev in diagnosing why this is failing.

#2 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 10 months ago

Dru Lavigne wrote:

Ryan: please reproduce then attach a debug (System -> Advanced -> Save debug) to this ticket to assist the dev in diagnosing why this is failing.

When I click "SAVE DEBUG", I get the spinner for a while and then it times out. Is the debug file generated on the system somewhere that I can find? Or can I generate it from the command line?

#3 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 10 months ago

  • File fndebug.tgz added

I think I found how to get the debug info from /var/tmp/fndebug. It is attached.

#4 Updated by Dru Lavigne 10 months ago

Thanks, Ryan. Please also attach a screenshot of your selections on the permissions screen (the ones that appear to save but don't).

#5 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 10 months ago

32177

Dru Lavigne wrote:

Thanks, Ryan. Please also attach a screenshot of your selections on the permissions screen (the ones that appear to save but don't).

Sure, it is attached.

#6 Updated by Dru Lavigne 10 months ago

  • Assignee changed from Release Council to Lola Yang
  • Target version changed from Backlog to 11.2-RC2

#7 Updated by Dru Lavigne 10 months ago

  • Reason for Blocked deleted (Need additional information from Author)

#8 Updated by Lola Yang 9 months ago

Hi Ryan,

I cannot reproduce it on 11.2-BETA3 and latest nightly.
Could you try again to get the debug file (System -> Advanced -> Save debug) and attach it? Thanks.

#9 Updated by Dru Lavigne 9 months ago

  • Status changed from Unscreened to Blocked
  • Reason for Blocked set to Need additional information from Author

#10 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 9 months ago

Lola Yang wrote:

Hi Ryan,

I cannot reproduce it on 11.2-BETA3 and latest nightly.
Could you try again to get the debug file (System -> Advanced -> Save debug) and attach it? Thanks.

I just tried to generate the debug file and it sits there with the spinner for a while and then the spinner goes away without downloading the debug file. Is it timing out? How can I increase the timeout duration? Or can I generate this debug file from the command line?

#11 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 9 months ago

  • File debug.tgz added

Lola Yang wrote:

Hi Ryan,

I cannot reproduce it on 11.2-BETA3 and latest nightly.
Could you try again to get the debug file (System -> Advanced -> Save debug) and attach it? Thanks.

Nevermind, I figured out the issue with generating the debug file. It is attached.

#12 Updated by Dru Lavigne 9 months ago

  • Status changed from Blocked to Screened
  • Reason for Blocked deleted (Need additional information from Author)

#13 Updated by Lola Yang 9 months ago

  • Category changed from GUI (new) to Middleware
  • Assignee changed from Lola Yang to William Grzybowski

#14 Updated by William Grzybowski 9 months ago

  • Status changed from Screened to Blocked
  • Reason for Blocked set to Waiting for feedback

Can you please paste the output of:

ls -ld /mnt/Tank/Media
getfacl /mnt/Tank/Media
chmod -R 777 /mnt/Tank/Media
ls -ld /mnt/Tank/Media

in that order

#15 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 9 months ago

William Grzybowski wrote:

Can you please paste the output of:

ls -ld /mnt/Tank/Media
getfacl /mnt/Tank/Media
chmod -R 777 /mnt/Tank/Media
ls -ld /mnt/Tank/Media

in that order

Sorry for the delay, I was traveling last week. Here is the output:

root@freenas[~]# ls -ld /mnt/Tank/Media
drwxrwxr-x+ 5 root  media  5 Oct  2 16:28 /mnt/Tank/Media
root@freenas[~]# getfacl /mnt/Tank/Media
# file: /mnt/Tank/Media
# owner: root
# group: media
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
root@freenas[~]# chmod -R 777 /mnt/Tank/Media
chmod: /mnt/Tank/Media: Operation not permitted
chmod: /mnt/Tank/Media/Music: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/09-(There'll Be) Peace in the Valley (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/03-I Walk the Line (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/08-A Boy Named Sue (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/01-Wanted Man (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/06-San Quentin (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/05-Starkville City Jail (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/04-Darlin' Companion (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/10-Folsom Prison Blues (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/02-Wreck of the Old '97 (Live).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/07-San Quentin (Live)(2).flac: Operation not permitted
chmod: /mnt/Tank/Media/Music/Johnny.Cash.at.San.Quentin.1969.[24-96.HDtracks]/foo_dr.txt: Operation not permitted

*** HUNDREDS OF LINES LIKE THE PREVIOUS ONES ***

root@freenas[~]# ls -ld /mnt/Tank/Media
drwxrwxr-x+ 5 root  media  5 Oct  2 16:28 /mnt/Tank/Media

#16 Updated by Dru Lavigne 9 months ago

  • Status changed from Blocked to Unscreened

#17 Updated by William Grzybowski 9 months ago

  • Status changed from Unscreened to Blocked

Can you try running:

winacl -a reset -r -p /mnt/Tank/Media

And then the commands from before again?

#18 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 9 months ago

William Grzybowski wrote:

Can you try running:

winacl -a reset -r -p /mnt/Tank/Media

And then the commands from before again?

Sure, here is the output:

root@freenas[~]# winacl -a reset -r -p /mnt/Tank/Media
root@freenas[~]# ls -ld /mnt/Tank/Media
drwxrwxr-x+ 5 root  media  5 Oct  2 16:28 /mnt/Tank/Media
root@freenas[~]# getfacl /mnt/Tank/Media
# file: /mnt/Tank/Media
# owner: root
# group: media
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
root@freenas[~]# chmod -R 777 /mnt/Tank/Media
chmod: /mnt/Tank/Media: Operation not permitted
chmod: /mnt/Tank/Media/Music: Operation not permitted
chmod: /mnt/Tank/Media/Music/Norah Jones: Operation not permitted
chmod: /mnt/Tank/Media/Music/Norah Jones/Come Away with Me [24-192 HDtracks]: Operation not permitted
chmod: /mnt/Tank/Media/Music/Norah Jones/Come Away with Me [24-192 HDtracks]/0-Liner NotesHX5099946383457.pdf: Operation not permitted

*** HUNDREDS OF LINES LIKE THE PREVIOUS ONES ***

root@freenas[~]# ls -ld /mnt/Tank/Media
drwxrwxr-x+ 5 root  media  5 Oct  2 16:28 /mnt/Tank/Media

#19 Updated by William Grzybowski 9 months ago

  • Status changed from Blocked to Unscreened
  • Assignee changed from William Grzybowski to Andrew Walker
  • Reason for Blocked deleted (Waiting for feedback)

Andrew, I am out of my depth here regarding ACL.

Can you help Ryan? Should we be doing something different in middleware to reset these?

#20 Updated by Andrew Walker 9 months ago

"chmod" won't work if the ZFS aclmode is set to "restricted" (windows dataset type) and the file / directory has extended ACLs set (+ next to mode in ls -l output). A winacl reset won't grant world write permissions. It defaults to (owner - full control, owner group - full control, world - read, execute, read acl, read attributes, read xattr)

Try upgrading to 11.2-RC1, then running the following commands:
First verify that you have the correct aclmode for an SMB share set on the dataset

zfs get aclmode Tank/Media

If it's not restricted, consider setting it to restricted (do note that some applications do not like it when chmod returns an error.

 zfs set aclmode=restricted Tank/Media

Then apply new ACL entries, and apply recursively.

setfacl -m everyone@:full_set:fd:allow,g:media:full_set:fd:allow /mnt/Tank/Media
winacl -a clone -r -v -p /mnt/Tank/Media

This will grant "everyone" full permissions, and sets an explicit entry to grant the "media" group full permissions on /mnt/Tank/Media. The clone action takes that ACL and applies it to all subdirectories and files. Do note that it will follow symlinks and traverse filesystem boundaries.

#21 Updated by Andrew Walker 9 months ago

Sorry, I zeroed in on the winacl portion of this. chmod is failing because we might not switching the aclmode back to "passthrough" when the dataset type is switched to Unix. I will investigate this now.

Ryan a workaround if you're trying to use "Unix" permissions type is to run the command

zfs set aclmode=passthrough Tank/Media
then re-run the UI permissions editor.

#22 Updated by Bug Clerk 9 months ago

  • Status changed from Unscreened to In Progress

#23 Updated by Andrew Walker 9 months ago

This looks like it's an old bug. We weren't trying to change aclmode before changing permissions. Fix was simple. Get dataset from path, then set correct aclmode depending on how we're changing the permissions.

Master = https://github.com/freenas/freenas/pull/1996
11.2 - STABLE = https://github.com/freenas/freenas/pull/1997
11.1 - STABLE = https://github.com/freenas/freenas/pull/1998

#24 Updated by Dru Lavigne 9 months ago

  • File deleted (fndebug.tgz)

#25 Updated by Dru Lavigne 9 months ago

  • Subject changed from Set DataSet permissions to World Writeable is not applied to Change dataset aclmode before trying to change permissions
  • Private changed from Yes to No
  • Needs Doc changed from Yes to No

#26 Updated by Bug Clerk 9 months ago

  • Status changed from In Progress to Ready for Testing

#27 Updated by Bug Clerk 9 months ago

  • Target version changed from 11.2-RC2 to 11.3

#28 Updated by Bug Clerk 9 months ago

#29 Updated by Bug Clerk 9 months ago

  • Target version changed from 11.3 to 11.2-RC2

#30 Updated by Bug Clerk 9 months ago

#31 Updated by Bug Clerk 9 months ago

  • Target version changed from 11.2-RC2 to TrueNAS 11.1-U6.2

#32 Updated by Dru Lavigne 9 months ago

  • Needs Doc changed from No to Yes
  • Needs Merging changed from Yes to No

#36 Updated by Dru Lavigne 9 months ago

  • Needs Doc changed from Yes to No

#37 Avatar?id=27674&size=24x24 Updated by Ryan McCullough 9 months ago

Andrew Walker wrote:

Sorry, I zeroed in on the winacl portion of this. chmod is failing because we might not switching the aclmode back to "passthrough" when the dataset type is switched to Unix. I will investigate this now.

Ryan a workaround if you're trying to use "Unix" permissions type is to run the command [...] then re-run the UI permissions editor.

I apologize for the late reply, I was traveling this week. I ran that command and it seems to have fixed the issue I was having. Sounds like this actually resulted in a code/doc change too, so good to know that I wasn't totally doing something wrong. Thank you!

#38 Updated by Dru Lavigne 8 months ago

  • Copied to Bug #57366: Change dataset aclmode before trying to change permissions added

#39 Updated by Bonnie Follweiler 8 months ago

  • Status changed from Ready for Testing to Passed Testing

Marked the wrong ticket as passed so I moved this back to Ready For Testing

#40 Updated by Bonnie Follweiler 8 months ago

  • Status changed from Passed Testing to Ready for Testing

#41 Updated by Dru Lavigne 8 months ago

  • File deleted (debug.tgz)

#42 Updated by Dru Lavigne 8 months ago

  • Target version changed from TrueNAS 11.1-U6.2 to 11.1-U7

#45 Updated by Jeff Ervin 6 months ago

48133

#46 Updated by Jeff Ervin 6 months ago

48135

Test Passed FreeNAS-11.1-U7-INTERNAL2 (Browser/Chrome)

#47 Updated by Bonnie Follweiler 6 months ago

Test Passed in TrueNAS-11.1-U7-INTERNAL3 using the Firefox browser

#48 Updated by Dru Lavigne 6 months ago

  • Status changed from Passed Testing to Done
  • Needs QA changed from Yes to No

Also available in: Atom PDF