Home > Storage > PowerScale (Isilon) > Product Documentation > Storage (general) > PowerScale OneFS Permission Repair Job > Permissions inspection and configuration
To help support multiprotocol permissions mapping, OneFS has extended the chmod and ls CLI commands to provide more fine-grained access control configuration and reporting.
In OneFS, the ls command has an -e flag extension, which reports on any Windows-style ACEs that the security descriptor contains, and the traditional POSIX mode bits.
For example, consider the following /ifs/data/file1.txt file.
A regular long listing (ls –l) on this file shows the POSIX mode bits (644) as expected:
# ls -l /ifs/data/file1
-rw-r--r-- + 1 root wheel 6 Feb 12 10:49 /ifs/data/file2
The plus (+) sign follows the mode bit representations. It indicates that either the file has an NTFS ACL, or a security descriptor, and that the ACL is NULL. A space (‘ ') indicates there is no security descriptor. Every file has a default synthetic ACL that is created automatically, based on the file's mode bits. A file with a synthetic ACL does not have a plus (+) sign next to it, although the ACL is still viewable if the -e option is used. The +o' output indicates that a file is wide-open in terms of permissions.
Adding the e flag to the command returns both the mode bits, plus the ACL contents:
# ls -le /ifs/data/file1
-rw-r--r-- 1 root wheel 6 Feb 12 10:49 /ifs/data/file1
OWNER: user:root
GROUP: group:wheel
SYNTHETIC ACL
0: user:root allow file_gen_read,file_gen_write,std_write_dac
1: group:wheel allow file_gen_read
2: everyone allow file_gen_read
The –e option for the ls command (or the ability to view ACL information in addition to mode bits) is not available from any NFS clients that remotely mount a OneFS export.
Similarly, the chmod command in OneFS has an a mode extension that allows for ACL and ACE configuration and reconfiguration. This extension includes the following options:
Chmod ‘a’ mode | Description |
+a | Inserts a new ACE into the canonical location in the ACL. If the supplied entry refers to an identity already listed, the two entries are combined. |
-a | Deletes ACL entries. All entries exactly matching the supplied entry are deleted. If the entry lists a subset of rights granted by an entry, only the rights listed are removed. Generic rights (generic_all, generic_read, and so on) cannot be removed, they can only be added. |
+a# | When a specific ordering is required, +a# mode specifies the exact location where an entry is inserted. |
=a# | Individual entries are rewritten using the =a# mode. Note: Some shells require = to be escaped with the \ character. |
For example, the following command adds a deny file read ACE for the Administrators group:
# chmod +a group administrators deny file_read /ifs/data/file1
# ls -le /ifs/data/file1
-rw-r--r-- + 1 root wheel 6 Feb 12 10:49 /ifs/data/file1
OWNER: user:root
GROUP: group:wheel
0: group:Administrators deny file_read
1: user:root allow file_gen_read,file_gen_write,std_write_dac
2: group:wheel allow file_gen_read
3: everyone allow file_gen_read
Because POSIX mode bits are a subset of the more comprehensive Windows ACL model, mapping mode bits to ACLs is straightforward. When a Windows client changes the permissions of a file with an ACL, no information is lost because OneFS stores the original ACL and replaces it. Similarly, when a Windows client changes the permissions of a file with mode bits, OneFS replaces the file's synthetic ACL with an actual ACL that is equivalent to the mode bits. However, things are more complex when chmod modifies the permissions of a file that are protected by an ACL. OneFS must map the permission changes between two noncorresponding security models by merging the ACL with a patch derived from the change in mode bits. OneFS must be in its default setting.
For example, consider the file2.txt file. A Windows client created this file, and the permissions listed are the generic access rights for files and directories. OneFS correctly approximates the mode bits as 764:
# ls -le file2.txt
-rwxrw-r-- + 1 WIND1\nick WIND1\pdm 2056 Feb 12 10:18
file2.txt
OWNER: user:WIND1\nick
GROUP: group:WIND1\pdm
0: user:WIND1\nick allow
file_gen_read,file_gen_write,file_gen_execute,std_write_dac
1: group:WIND1\pdm allow file_gen_read,file_gen_write
2: everyone allow file_gen_read
If the mode bits are changed from 764 to 744, OneFS removes the write permission of the primary group, while preserving the other permissions:
# chmod 744 file2.txt
# ls -le file2.txt
-rwxr--r-- + 1 WIND1\nick WIND1\pdm 2056 Feb 12 10:18
file2.txt
OWNER: user:WIND1\nick
GROUP: group:WIND1\pdm
0: user:WIND1\nick allow
file_gen_read,file_gen_write,file_gen_execute,std_write_dac
1: group:WIND1\pdm allow file_gen_read
2: everyone allow file_gen_read
Usually, this result preserves the ACL information and minimizes conflicts between actual and expected behavior. However, there are some anomalies of which to be aware.
In the following example, the mode bits and ACEs do not map directly. If the mode bits on the file (file3.txt) are changed from 750 (rwxr-x---) to 650 (rw-r-x---), the resulting merge removes the right to modify the owner in the object’s security descriptor. It leaves the user with the standard right to modify the discretionary access control list in the object's security descriptor.
# chmod 650 file3.txt
# ls -le file3.txt
-rwxr-x--- + 1 WIND1\nick WIND1\pdm 807 Feb 12 10:19
print.css
OWNER: user: WIND1\nick
GROUP: group: WIND1\pdm
0: user: WIND1\nick allow
file_gen_read,file_gen_write,std_write_dac
1: group: WIND1\pdm allow file_gen_read,file_gen_execute
2: everyone allow std_read_dac,std_synchronize,file_read_attr
The following table maps an equivalency of permissions entities between Windows access rights, POSIX mode bits, and OneFS permissions.
POSIX mode bits (approximation) | OneFS representation | Windows ACE |
d-w | add_file | FILE_ADD_FILE |
d-w | add_subdir | FILE_ADD_SUBDIRECTORY |
drwx or -rwx | dir_gen_all, file_gen_all | FILE_ALL_ACCESS |
--w- or d-w | append, add_subdir | FILE_APPEND_DATA |
d-w | delete_child | FILE_DELETE_CHILD |
---x | execute | FILE_EXECUTE |
dr-- | list | FILE_LIST_DIRECTORY |
-r-- | file_read_attr | FILE_READ_ATTRIBUTES |
-r-- | file_read | FILE_READ_DATA |
-r-- | file_read_ext_attr | FILE_READ_EA |
d--x | traverse | FILE_TRAVERSE |
--w | file_write_attr | FILE_WRITE_ATTRIBUTES |
--w | file_write | FILE_WRITE_DATA |
--w | file_write_ext_attr | FILE_WRITE_EA |
d-w- or --w | std_delete | DELETE |
dr-- or -r-- | std_read_dac | READ_CONTROL |
drwx or -rwx | std_write_dac | WRITE_DAC |
drwx or -rwx | std_write_owner | WRITE_OWNER |
N/A | std_synchronize | SYNCHRONIZE |