ACL permissions that are required to work on files and directories
The topic describes the required ACL permissions to access files and folders through file protocols.
The following table describes the ACL permissions that are required when the user of the file is
not the file owner, where "X" denotes permission that is required on file or directory and "P"
denotes permission that is required on the parent directory of the file or
directory.
Note: In IBM Storage Scale 5.0.3,
a difference in the handling of the NFSv4 ACL bit SYNCHRONIZE can cause access issues for Microsoft
Windows clients. The change is that when ACL data is
returned to the SMB client, the SYNCHRONIZE bit on ACL "allow" entries is passed unchanged. But Microsoft
Windows clients require the SYNCHRONIZE bit to be set for
renaming files or directories. Files that are written by Microsoft
Windows clients usually have the SYNCHRONIZE bit set.
To
restore the pre-5.0.3 behavior, issue the following command for each SMB share that is affected by
the
problem:
/usr/lpp/mmfs/bin/net conf setparm <SMBShareName> 'nfs4:set synchronize' yes| ACL Operation | ACL Permission | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Traverse folder / execute file | List folder / read data | Read attribute | Read extended attribute | Create files / write data | Create folders / append data | Write attribute | Write extended attributes | Delete subfolder and files | Delete | Read permissions | Write permissions | Take ownership | |
| Execute file | X | X | |||||||||||
| List folder | X | ||||||||||||
| Read data from file | X | X | X | ||||||||||
| Read attributes | X | ||||||||||||
| Create file | X | ||||||||||||
| Create folder | X | ||||||||||||
| Write data to file | X | X | X | X | X | X | |||||||
| Write file attributes | X | ||||||||||||
| Write folder attributes | X | ||||||||||||
| Delete file | P | X | P | P or X | |||||||||
| Delete folder | P | X | P | P or X | |||||||||
| Rename file | P | X | P | P or X | |||||||||
| Rename folder | P | X | P | P | P or X | ||||||||
| Read file permissions | X | ||||||||||||
| Read folder permissions | X | ||||||||||||
| Write file permissions | X | ||||||||||||
| Write folder permissions | X | ||||||||||||
| Take file ownership | X | ||||||||||||
| Take folder ownership | X | ||||||||||||
| ACL Operation | ACL Permission | |||||
|---|---|---|---|---|---|---|
| Traverse folder / execute file | List folder / read data | Read attribute | Read extended attribute | Create files / write data | Create folders / append data | |
| Execute file | X | X | ||||
| List folder | X | |||||
| Read data from file | X | X | X | |||
| Read attributes | X | |||||
| Create file | X | |||||
| Create folder | X | |||||
| Write data to file | X | X | X | X | ||
| Write file attributes | ||||||
| Write folder attributes | ||||||
| Delete file | P | X | P | |||
| Delete folder | P | X | P | |||
| Rename file | P | X | P | |||
| Rename folder | P | X | P | P | ||
| Read file permissions | ||||||
| Read folder permissions | ||||||
| Write file permissions | ||||||
| Write folder permissions | ||||||
| Take file ownership | ||||||
| Take folder ownership | ||||||
| ACL Operation | ACL Permission | ||||||
|---|---|---|---|---|---|---|---|
| Write attribute | Write extended attributes | Delete subfolder and files | Delete | Read permissions | Write permissions | Take ownership | |
| Execute file | |||||||
| List folder | |||||||
| Read data from file | |||||||
| Read attributes | |||||||
| Create file | |||||||
| Create folder | |||||||
| Write data to file | X | X | |||||
| Write file attributes | X | ||||||
| Write folder attributes | X | ||||||
| Delete file | P or X | ||||||
| Delete folder | P or X | ||||||
| Rename file | P or X | ||||||
| Rename folder | P or X | ||||||
| Read file permissions | X | ||||||
| Read folder permissions | X | ||||||
| Write file permissions | X | X | |||||
| Write folder permissions | X | X | |||||
| Take file ownership | X | ||||||
| Take folder ownership | X | ||||||
| ACL Operation | ACL Permission | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Traverse folder / execute file | List folder / read data | Read attribute | Read extended attribute | Create files / write data | Create folders / append data | Write attribute | Write extended attributes | Delete subfolder and files | Delete | Read ACL | Write ACL | Take ownership | |
| Execute file | P, X | X | |||||||||||
| List folder | P | X | |||||||||||
| Read data from file | P | X | |||||||||||
| Read attributes | P | ||||||||||||
| Create file | P | P | |||||||||||
| Create folder | P | P | |||||||||||
| Write data to file | P | X | X | ||||||||||
| Write file attributes | P | ||||||||||||
| Write folder attributes | P | ||||||||||||
| Delete file | P | P | P | ||||||||||
| Delete folder | P | P | P | ||||||||||
| Rename file | P | X | P | P | |||||||||
| Rename folder | P | X | P | P | P | ||||||||
| Read file ACL | P | ||||||||||||
| Read folder ACL | P | ||||||||||||
| Write file ACL | P | X | |||||||||||
| Write folder ACL | P | X | |||||||||||
| Take file ownership | P | X | |||||||||||
| Take folder ownership | P | X | |||||||||||
| ACL Operation | ACL Permission | |||||
|---|---|---|---|---|---|---|
| Traverse folder / execute file | List folder / read data | Read attribute | Read extended attribute | Create files / write data | Create folders / append data | |
| Execute file | P, X | X | ||||
| List folder | P | X | ||||
| Read data from file | P | X | ||||
| Read attributes | P | |||||
| Create file | P | P | ||||
| Create folder | P | P | ||||
| Write data to file | P | X | X | |||
| Write file attributes | P | |||||
| Write folder attributes | P | |||||
| Delete file | P | P | ||||
| Delete folder | P | P | ||||
| Rename file | P | X | P | |||
| Rename folder | P | X | P | P | ||
| Read file ACL | P | |||||
| Read folder ACL | P | |||||
| Write file ACL | P | |||||
| Write folder ACL | P | |||||
| Take file ownership | P | |||||
| Take folder ownership | P | |||||
| ACL Operation | ACL Permission | ||||||
|---|---|---|---|---|---|---|---|
| Write attribute | Write extended attributes | Delete subfolder and files | Delete | Read ACL | Write ACL | Take ownership | |
| Execute file | |||||||
| List folder | |||||||
| Read data from file | |||||||
| Read attributes | |||||||
| Create file | |||||||
| Create folder | |||||||
| Write data to file | |||||||
| Write file attributes | |||||||
| Write folder attributes | |||||||
| Delete file | P | ||||||
| Delete folder | P | ||||||
| Rename file | P | ||||||
| Rename folder | P | ||||||
| Read file ACL | |||||||
| Read folder ACL | |||||||
| Write file ACL | X | ||||||
| Write folder ACL | X | ||||||
| Take file ownership | X | ||||||
| Take folder ownership | X | ||||||
The following are the considerations on the ACL read and write
permissions:
- The files that require "Traverse folder / execute file" permission do not require the "Bypass Traverse Check" attribute to be enabled. This attribute is enabled by default on the files.
- The "Read extended attribute" permission is required by the SMB clients with recent Microsoft Windows versions (for Microsoft Windows 2008, Microsoft Windows 2012, and Microsoft Windows 8 versions) for file copy operations. The default ACLs set without inheritance do not contain this permission. It is recommended that you use inherited permissions where possible and enable this permission in the inherited permissions to prevent the default value to be used and cause problems.
Directory traversal permissions that are applicable for SMB ACLs
The following are the considerations on the
traverse permissions:
- It is recommended that you add the "Traverse folder / execute file" permission to all executable files, even if the "Bypass Traverse Check" attribute is enabled on these files. IBM Storage Scale checks for the "Traverse folder / execute file" permission on executable files irrespective of the value of the "Bypass Traverse Check" attribute.
- If the --cifsBypassTraversalChecking option
is enabled, it allows a user to directly access files and folders
that the user owns, and also that are contained under the parent folders
for which the user does not have Read or Write permissions. Users
without "Read and Execute" access to the share or export in which
the user-owned files and folders are located can read and modify the
files inside the export for which the user has permissions that are
granted by the --cifsBypassTraversalChecking option.
However, in this case, operations like rename file and delete file
are not granted by default. This is normal SMB behavior. Modify ACLs
as required to enable these operations.
For example, in the directory structure /A/B/C, assume that an SMB user has 'read' permission on C but no permissions on A and B. When the --cifsBypassTraversalChecking option is set to its default value Yes, this SMB user can access C without having "Traverse Folder" or "Execute File" permissions that are set to allow on A and B, but is still not allowed to browse the content of A and B.
- The ownership of a file cannot be migrated by a normal user. You must configure and use administrative user credentials to perform data migration. When migrating existing files and directories from other systems to IBM Storage Scale, the ACL might not contain explicit traversal rights for the users because the source system can grant this right implicitly. After migrating the files with ACLs, ensure that traversal rights are granted to the parent directory of each exported path.