ACL permissions that are required to work on files and directories

The ACL permissions such as Read Permissions and Read Attributes are required to list a file. A file owner requires only the Read Attributes permission to list a file, since the permission Read Permissions is implied. A different user needs to have both the Read Permissions and Read Attributes permissions enabled to reliably list the file. These permissions are both automatically granted together when read access is granted. If the file is already in the cache of the system because it was listed recently, any user is able to list the file, regardless of the values of the Read Permissions and Read Attributes permission values.

The following table describes the ACL permissions that are required when the user of the file is not the file owner, where "X" denotes permission that is required on file or directory and "P" denotes permission that is required on the parent directory of the file or directory.

Table 1. ACL permissions that are required to work on files and directories, while using SMB protocol
ACL Operation ACL Permission
  Traverse folder / execute file List folder / read data Read attribute Read extended attribute Create files / write data Create folders / append data Write attribute Write extended attributes Delete subfolder and files Delete Read permissions Write permissions Take ownership
Execute file X X                      
List folder   X                      
Read data from file   X X X                  
Read attributes     X                    
Create file         X                
Create folder           X              
Write data to file   X X   X X X X          
Write file attributes             X            
Write folder attributes             X            
Delete file   P X   P       P or X      
Delete folder   P X   P       P or X      
Rename file   P X   P       P or X      
Rename folder   P X   P P     P or X      
Read file permissions                     X    
Read folder permissions                     X    
Write file permissions                     X X  
Write folder permissions                     X X  
Take file ownership                         X
Take folder ownership                         X
Table 2. ACL permissions required to work on files and directories, while using NFS protocol
ACL Operation ACL Permission
  Traverse folder / execute file List folder / read data Read attribute Read extended attribute Create files / write data Create folders / append data Write attribute Write extended attributes Delete subfolder and files Delete Read ACL Write ACL Take ownership
Execute file P, X X                      
List folder P X                      
Read data from file P X                      
Read attributes P                        
Create file P       P                
Create folder P         P              
Write data to file P       X X              
Write file attributes P                        
Write folder attributes P                        
Delete file P       P       P        
Delete folder P       P       P        
Rename file P   X   P       P        
Rename folder P   X   P P     P        
Read file ACL P                        
Read folder ACL P                        
Write file ACL P                     X  
Write folder ACL P                     X  
Take file ownership P                       X
Take folder ownership P                       X
The following are the considerations on the ACL read and write permissions:
  1. For the "Read data from file" operation, the IBM Spectrum Scale™ system checks the validity of the client requested access mask only if "Read permissions" attribute is enabled on the file. If "Read permissions" attribute is not enabled, then only the "List folder / read data" and "Read attributes" permissions are required to read from the file.
  2. For the "Write data to file" operation, the IBM Spectrum Scale system checks the validity of the client requested access mask only if the "Read permissions" attribute is enabled on the file. If the "Read permissions" attribute is not enabled, then only the "Create files / write data" and "Create folders / append data" permissions are required to write to the file.
  3. The files that require "Traverse folder / execute file" permission do not require the "Bypass Traverse Check" attribute to be enabled. This attribute is enabled by default on the files.
  4. The "Read extended attribute" permission is required by the SMB clients with recent Microsoft Windows versions (for Microsoft Windows 2008, Microsoft Windows 2012, and Microsoft Windows 8 versions) for file copy operations. The default ACLs set without inheritance do not contain this permission. It is recommended that you use inherited permissions where possible and enable this permission in the inherited permissions to prevent the default value to be used and cause problems.
Migrating data through SMB to the IBM Spectrum Scale cluster requires a user ID with the enhanced permissions. The ownership of a file cannot be migrated by a normal IBM Spectrum Scale user. Therefore, you need to configure an “admin user” to allow data migration. For more information on how to configure the “admin users” parameter, see the mmsmb export add and mmsmb export change sections in the mmsmb command.

Directory traversal permissions that are applicable for SMB ACLs

The following are the considerations on the traverse permissions:
  1. It is recommended that you add the "Traverse folder / execute file" permission to all executable files, even if the "Bypass Traverse Check" attribute is enabled on these files. IBM Spectrum Scale checks for the "Traverse folder / execute file" permission on executable files irrespective of the value of the "Bypass Traverse Check" attribute.
  2. If the --cifsBypassTraversalChecking option is enabled, it allows a user to directly access files and folders that the user owns, and also that are contained under the parent folders for which the user does not have Read or Write permissions. Users without "Read and Execute" access to the share or export in which the user-owned files and folders are located can read and modify the files inside the export for which the user has permissions that are granted by the --cifsBypassTraversalChecking option. However, in this case, operations like rename file and delete file are not granted by default. This is normal SMB behavior. Modify ACLs as required to enable these operations.

    For example, in the directory structure /A/B/C, assume that an SMB user has 'read' permission on C but no permissions on A and B. When the --cifsBypassTraversalChecking option is set to its default value Yes, this SMB user can access C without having "Traverse Folder" or "Execute File" permissions that are set to allow on A and B, but is still not allowed to browse the content of A and B.

  3. The ownership of a file cannot be migrated by a normal user. You must configure and use administrative user credentials to perform data migration. When migrating existing files and directories from other systems to IBM Spectrum Scale, the ACL might not contain explicit traversal rights for the users because the source system can grant this right implicitly. After migrating the files with ACLs, ensure that traversal rights are granted to the parent directory of each exported path.
Parent topic: Authorizing file protocol users
Related concepts:
ACL inheritance
ACL best practices
Working with ACLs