GNU bug report logs - #20884
copying NFS4 ACLs portably

Message received at 20884 <at> debbugs.gnu.org:

Received: (at 20884) by debbugs.gnu.org; 23 Jun 2015 19:13:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 15:13:29 2015
Received: from localhost ([127.0.0.1]:55593 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7TdQ-0002eI-RX
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 15:13:29 -0400
Received: from mail-oi0-f50.google.com ([209.85.218.50]:36291)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <andreas.gruenbacher@HIDDEN>) id 1Z7TdN-0002e4-Pp
 for 20884 <at> debbugs.gnu.org; Tue, 23 Jun 2015 15:13:26 -0400
Received: by oigb199 with SMTP id b199so14257098oig.3
 for <20884 <at> debbugs.gnu.org>; Tue, 23 Jun 2015 12:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=YR+E2P3Yu1zVzHxztLptbPuSa9wNu7ucnnkd1uSHQTI=;
 b=sotT8V9RqTEXfT2Ae8F0hInThCpmj1zL7FH2YNpvNnHYdFXG801OPZTPPdqojMsl7O
 17FLLV/I8MXISn9gBmxgxid9TIx4owNGlvS/ymOkDvwjNMrsFMI4Vrc8GQltwPvTar2X
 LbVGN2AxI+pjMYFTfIjEmAjTQm6MPablRcH39sZe50XCxW1COqHpqLui7tT22Y7JC2Dy
 ABoT47y4GWqMHoLN4SoXul19zCbtIWBf5H0TOcMrlrMfPexGyrezjBTgE+qjy+FlBH/+
 T99a/0T4DJpgeyiNBt3mzsjUr3Yxsv7dWWd5xi8ASahgpjBXVSm6Eh01V6iq1riP6WPc
 ErPw==
MIME-Version: 1.0
X-Received: by 10.182.71.72 with SMTP id s8mr15820340obu.80.1435086800223;
 Tue, 23 Jun 2015 12:13:20 -0700 (PDT)
Received: by 10.182.109.165 with HTTP; Tue, 23 Jun 2015 12:13:20 -0700 (PDT)
In-Reply-To: <076fd938-19d6-11e5-9b6a-00163eeb5320@HIDDEN>
References: <CAHpGcMLeRg+AStbA=aTg_01b0RQfcjD74sYDC-bODD_W8=A45g@HIDDEN>
 <55898BB2.10101@HIDDEN>
 <9510c274-19cd-11e5-9b6a-00163eeb5320@HIDDEN>
 <CAHpGcML7RCJ2n=a=ft4Zif13nRoDWKrSS1TcLG9QxSJM7sce1A@HIDDEN>
 <076fd938-19d6-11e5-9b6a-00163eeb5320@HIDDEN>
Date: Tue, 23 Jun 2015 21:13:20 +0200
Message-ID: <CAHpGcMKc58DNV7L+ZvDD+AuC+bJ0951QfQVeujf885SqRAAKEA@HIDDEN>
Subject: Re: bug#20884: copying NFS4 ACLs portably
From: =?UTF-8?Q?Andreas_Gr=C3=BCnbacher?= <andreas.gruenbacher@HIDDEN>
To: Michael Stone <mstone@HIDDEN>
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 20884
Cc: 20884 <at> debbugs.gnu.org, =?UTF-8?Q?P=C3=A1draig_Brady?= <P@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

2015-06-23 20:43 GMT+02:00 Michael Stone <mstone@HIDDEN>:
> Well, moving things around on an NFSv4 filesystem is the request I received,
> not converting the ACL from NFSv4 to POSIX. :) I'm not convinced that it's
> possible to transparently map arbitrary ACLs from one filesystem to another
> given different semantics, so I'm not sure that's a goal worth holding up
> the ability to copy NFS4 ACLs indefinitely. Other implementations just warn
> when they can't preserve ACLs, which seems reasonable.

I'm not talking about converting between NFSv4 and POSIX ACLs, I'm thinking
of optionally having local NFSv4 ACL support on Linux on select file systems,
like Solaris has on ZFS.

Support for the "system.nfs4_acl" attribute could be added to gnulib; it's not
that big a deal, especially since the acl handling cleanup. I'm not
going to write
that code though.

> The current situation seems pretty bad, in that something is happening that
> seems to be almost-working, but which shouldn't be working at all. It's double
> bad that the behavior of coreutils depends on a config file
> (/etc/xattr.conf) which almost no distributions include by default.
> And if we start to include it, then something that people are currently using to
> copy NFS4 ACLs stops working (without any changes in coreutils).

Agreed, it's a mess.

Andreas

Message received at 20884 <at> debbugs.gnu.org:

Received: (at 20884) by debbugs.gnu.org; 23 Jun 2015 18:43:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 14:43:56 2015
Received: from localhost ([127.0.0.1]:55571 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7TAq-0001qu-CF
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 14:43:56 -0400
Received: from harad.mathom.us ([54.218.24.45]:53240)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <mstone@HIDDEN>) id 1Z7TAo-0001qc-3G
 for 20884 <at> debbugs.gnu.org; Tue, 23 Jun 2015 14:43:55 -0400
Received: from osgiliath.mathom.us (osgiliath.mathom.us
 [IPv6:2001:4830:1614:2341::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by harad.mathom.us (Postfix) with ESMTPS id 640A0145;
 Tue, 23 Jun 2015 18:43:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mathom.us; s=mail;
 t=1435085027; bh=E0vqmm2xB3UByRXqhegkMPxgogjYgugav1IzvuHgPhw=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
 b=qXd9jBUCsafYt+YFBHVuT4p2vQkqlyaT97o2/9fWssrxBDhraPkuII3PI90dShsDi
 m/n7j7t7A1H6Eu63Ogb3EAWWK8rY90i6Y5TLM9smWz4vJ8nf1+6n6O0Nh9/yEtxPVO
 34ulhyN2ghUCqLsmLcQALsA2FwzIpOD/BfF+cX5Y=
Received: from localhost (localhost [127.0.0.1])
 by osgiliath.mathom.us (Postfix) with ESMTP id D50D46E540;
 Tue, 23 Jun 2015 14:43:45 -0400 (EDT)
Received: from osgiliath.mathom.us ([127.0.0.1])
 by localhost (osgiliath.mathom.us [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id RFRSm1qkHL_B; Tue, 23 Jun 2015 14:43:45 -0400 (EDT)
Received: by osgiliath.mathom.us (Postfix, from userid 1000)
 id B28AB6E67E; Tue, 23 Jun 2015 14:43:45 -0400 (EDT)
Date: Tue, 23 Jun 2015 14:43:45 -0400
From: Michael Stone <mstone@HIDDEN>
To: Andreas =?iso-8859-1?Q?Gr=FCnbacher?= <andreas.gruenbacher@HIDDEN>
Subject: Re: bug#20884: copying NFS4 ACLs portably
Message-ID: <076fd938-19d6-11e5-9b6a-00163eeb5320@HIDDEN>
References: <CAHpGcMLeRg+AStbA=aTg_01b0RQfcjD74sYDC-bODD_W8=A45g@HIDDEN>
 <55898BB2.10101@HIDDEN>
 <9510c274-19cd-11e5-9b6a-00163eeb5320@HIDDEN>
 <CAHpGcML7RCJ2n=a=ft4Zif13nRoDWKrSS1TcLG9QxSJM7sce1A@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHpGcML7RCJ2n=a=ft4Zif13nRoDWKrSS1TcLG9QxSJM7sce1A@HIDDEN>
X-Pgp-Fingerprint: 02D5 315F F11F 1861 860E  1E02 F61A ACDC FA11 FFDE
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Spam-Score: -3.7 (---)
X-Debbugs-Envelope-To: 20884
Cc: 20884 <at> debbugs.gnu.org, =?iso-8859-1?Q?P=E1draig?= Brady <P@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.7 (---)

On Tue, Jun 23, 2015 at 08:22:44PM +0200, Andreas Grünbacher wrote:
>Somewhat. The "system.nfs4_acl" attribute is nfs specific though: its
>format isn't
>well suited for other file systems. Adding support to gnulib would only make
>copying permissions on nfs work, not across different file system types.

Well, moving things around on an NFSv4 filesystem is the request I 
received, not converting the ACL from NFSv4 to POSIX. :) I'm not 
convinced that it's possible to transparently map arbitrary ACLs from 
one filesystem to another given different semantics, so I'm not sure 
that's a goal worth holding up the ability to copy NFS4 ACLs 
indefinitely. Other implementations just warn when they can't preserve 
ACLs, which seems reasonable.

The current situation seems pretty bad, in that something is happening 
that seems to be almost-working, but which shouldn't be working at all. 
It's double bad that the behavior of coreutils depends on a config file 
(/etc/xattr.conf) which almost no distributions include by default. And 
if we start to include it, then something that people are currently 
using to copy NFS4 ACLs stops working (without any changes in 
coreutils).

Mike Stone

Message received at 20884 <at> debbugs.gnu.org:

Received: (at 20884) by debbugs.gnu.org; 23 Jun 2015 18:22:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 14:22:52 2015
Received: from localhost ([127.0.0.1]:55567 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7SqR-0001Jz-VE
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 14:22:52 -0400
Received: from mail-ob0-f182.google.com ([209.85.214.182]:33992)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <andreas.gruenbacher@HIDDEN>) id 1Z7SqQ-0001Jk-7K
 for 20884 <at> debbugs.gnu.org; Tue, 23 Jun 2015 14:22:51 -0400
Received: by obbkm3 with SMTP id km3so11807754obb.1
 for <20884 <at> debbugs.gnu.org>; Tue, 23 Jun 2015 11:22:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type:content-transfer-encoding;
 bh=iOzQVj1/b7XWbWT/1KQochNrlmaR0ijRDwxl6L0u6c4=;
 b=d0Zqr0LeU4DLPKTgcg0x93l74RHNPl/KsrcdvregbAPGflm39mgcdeji7nTZ7qHvRz
 BTnZu1zim+DoHo84U05tijFLiVo8hpFPZXJ2hNggujlNErxuCJaYg2JNEuUyZQCpuQL3
 2rvzvKJsDUDwb9UHP+btjjsjv6GLhpcmkRXYL1oDh4OS66tocUQER46Hp3+78BbZ6Fj6
 1HJSLEO4G62zrKzYVbhV5Y9WmA33DqMiL5rt7AEeQypQmOQSpqT99GyC1Nos6eKlQGgL
 g8GkODUJ4s1uBpSdtVKkz46lqIX7XZE+faT6g7m2MFwm4DqvPIB0U1nb6a+jKVvCz4G5
 fbFw==
MIME-Version: 1.0
X-Received: by 10.202.80.204 with SMTP id e195mr29453585oib.116.1435083764411; 
 Tue, 23 Jun 2015 11:22:44 -0700 (PDT)
Received: by 10.182.109.165 with HTTP; Tue, 23 Jun 2015 11:22:44 -0700 (PDT)
In-Reply-To: <9510c274-19cd-11e5-9b6a-00163eeb5320@HIDDEN>
References: <CAHpGcMLeRg+AStbA=aTg_01b0RQfcjD74sYDC-bODD_W8=A45g@HIDDEN>
 <55898BB2.10101@HIDDEN>
 <9510c274-19cd-11e5-9b6a-00163eeb5320@HIDDEN>
Date: Tue, 23 Jun 2015 20:22:44 +0200
Message-ID: <CAHpGcML7RCJ2n=a=ft4Zif13nRoDWKrSS1TcLG9QxSJM7sce1A@HIDDEN>
Subject: Re: bug#20884: copying NFS4 ACLs portably
From: =?UTF-8?Q?Andreas_Gr=C3=BCnbacher?= <andreas.gruenbacher@HIDDEN>
To: Michael Stone <mstone@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 20884
Cc: 20884 <at> debbugs.gnu.org, =?UTF-8?Q?P=C3=A1draig_Brady?= <P@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

2015-06-23 19:48 GMT+02:00 Michael Stone <mstone@HIDDEN>:
> On Tue, Jun 23, 2015 at 05:39:14PM +0100, P=C3=A1draig Brady wrote:
>>
>> There have been recent changes in this area,
>> so we need to know the version to help determine
>> if this is a regression or was always an issue.
>
>
> 8.23, 8.13
>
> On Tue, Jun 23, 2015 at 07:05:43PM +0200, Andreas Gr=C3=BCnbacher wrote:
>>
>> I assume we are talking about a Linux client with NFSv4 in all cases.
>> If so, then
>> the Solaris code isn't going to be used.
>
>
> Yes
>
>> What does strace show?
>
> relevant chunk of cp -a:
>
> stat("tacl3", {st_mode=3DS_IFREG|0674, st_size=3D0, ...}) =3D 0
> lstat("tacl", {st_mode=3DS_IFREG|0674, st_size=3D0, ...}) =3D 0
> stat("tacl3", {st_mode=3DS_IFREG|0674, st_size=3D0, ...}) =3D 0
> open("tacl", O_RDONLY|O_NOFOLLOW)       =3D 3
> fstat(3, {st_mode=3DS_IFREG|0674, st_size=3D0, ...}) =3D 0
> open("tacl3", O_WRONLY|O_TRUNC)         =3D 4
> fstat(4, {st_mode=3DS_IFREG|0674, st_size=3D0, ...}) =3D 0
> fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) =3D 0
> mmap(NULL, 1056768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, =
0)
> =3D 0x7fecce606000
> read(3, "", 1048576)                    =3D 0
> utimensat(4, NULL, {{1434994892, 275947301}, {1434994892, 275947301}}, 0)=
 =3D
> 0
> flistxattr(3, NULL, 0)                  =3D 16
> flistxattr(3, "system.nfs4_acl\0", 16)  =3D 16
> open("/etc/xattr.conf", O_RDONLY)       =3D -1 ENOENT (No such file or
> directory)
> fgetxattr(3, "system.nfs4_acl", 0x0, 0) =3D 144
> fgetxattr(3, "system.nfs4_acl", "\0\0\0\6\0\0\0\1\0\0\0\0\0\0\0
> \0\0\0\6OWNER@\0\0\0\0\0\0\0\0\0\0\0\26\1\207\0\0\0\6OWNER@\0\0\0\0\0\1\0=
\0\0\0\0\0\0\6\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\241\0\0\0\0041004\0\0\0=
\0\0\0\0\0\0\22\0\207\0\0\0\6GROUP@\0\0\0\0\0\0\0\0\0\0\0\22\0\201\0\0\0\tE=
VERYONE@\0\0",
> 144) =3D 144
> fsetxattr(4, "system.nfs4_acl", "\0\0\0\6\0\0\0\1\0\0\0\0\0\0\0
> \0\0\0\6OWNER@\0\0\0\0\0\0\0\0\0\0\0\26\1\207\0\0\0\6OWNER@\0\0\0\0\0\1\0=
\0\0\0\0\0\0\6\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\241\0\0\0\0041004\0\0\0=
\0\0\0\0\0\0\22\0\207\0\0\0\6GROUP@\0\0\0\0\0\0\0\0\0\0\0\22\0\201\0\0\0\tE=
VERYONE@\0\0",
> 144, 0) =3D 0
> fgetxattr(3, "system.posix_acl_access", 0x7ffe9352d7d0, 132) =3D -1 EOPNO=
TSUPP
> (Operation not supported)
> fsetxattr(4, "system.posix_acl_access",
> "\2\0\0\0\1\0\6\0\377\377\377\377\4\0\7\0\377\377\377\377
> \0\4\0\377\377\377\377", 28, 0) =3D -1 EOPNOTSUPP (Operation not supporte=
d)
> fchmod(4, 0100674)                      =3D 0
>
> cp --preserve=3Dxattr has the same system.nfs4_acl lines but lacks the
> system.posix_acl_access lines and the fchmod.

The -a flag is supposed to be equivalent to -dR --preserve=3Dall, so cp
tries to copy xattrs and permissions here.
In the latter case, it only copies xattrs; that's why it's not
accessing "system.posix_acl_access" there.

Gnulib and coreutils don't have specific support for the
"system.nfs4_acl" attribute; here, they treat it like a
normal xattr. As you say, once added to /etc/xattr.conf, it's no
longer being copied.

>> A chmod / fchmod shouldn't clear the acl, it should only disable the
>> permissions
>> not allowed by the mode. IIRC Solaris has some weird configuration knobs
>> for
>> those kinds of things though.
>
>
> That was my reading of acl(5) on solaris, but it doesn't seem to be what'=
s
> actually happening. (At least on openindiana.)
>
>> That would be a misbehavior / misconfiguration; --preserve=3Dxattr shoul=
d
>> affect
>> non-permission xattrs only. Which attributes are permissions and which
>> are not is
>> configured in /etc/xattr.conf.
>
>
> Well, I can confirm that if system.nfs4_acl is configured as "permissions=
"
> in /etc/xattr.conf that cp ignores it entirely. So if the almost-desired
> behavior was a side effect, then I guess this whole thing is stuck in the
> old controversy about whether the acl library should support nfs4 acls?

Somewhat. The "system.nfs4_acl" attribute is nfs specific though: its
format isn't
well suited for other file systems. Adding support to gnulib would only mak=
e
copying permissions on nfs work, not across different file system types.

I'm currently working on richacls which should eventually work for all
types of file
systems. Patches that work as long as all users or groups have a uid/gid ma=
pping
are available for nfs and ext4; I'll make unmapped nfs users and groups wor=
k as
well.

Andreas

Message received at 20884 <at> debbugs.gnu.org:

Received: (at 20884) by debbugs.gnu.org; 23 Jun 2015 17:53:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 13:53:31 2015
Received: from localhost ([127.0.0.1]:55549 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7SO2-0007Zn-Oo
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 13:53:31 -0400
Received: from harad.mathom.us ([54.218.24.45]:53221)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <mstone@HIDDEN>) id 1Z7SIs-0007Rs-CU
 for 20884 <at> debbugs.gnu.org; Tue, 23 Jun 2015 13:48:11 -0400
Received: from osgiliath.mathom.us (osgiliath.mathom.us
 [IPv6:2001:4830:1614:2341::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by harad.mathom.us (Postfix) with ESMTPS id 25AB9145;
 Tue, 23 Jun 2015 17:48:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mathom.us; s=mail;
 t=1435081683; bh=7zOCZxOfj/iyLULPrVjvJ30rK6Dh5ZQNXYpqwiystC8=;
 h=Date:From:To:Cc:Subject:In-Reply-To:From;
 b=DglnpziQz2gNwXh/KKCpWE9EOQ9lwhJnzMm5lajL8Gfj50+X/1SSOzasFe+S30b/T
 p26hxQG5rxgN5fX3BfBfMH9p28kter+ir06lb6lFr0reXi1Tvpd/9talFalw6neGZO
 jBV8IDXr7QRKJ5FzQypvDtWf3P2a88eYnyWA3/Lo=
Received: from localhost (localhost [127.0.0.1])
 by osgiliath.mathom.us (Postfix) with ESMTP id BF1EB6E800;
 Tue, 23 Jun 2015 13:48:01 -0400 (EDT)
Received: from osgiliath.mathom.us ([127.0.0.1])
 by localhost (osgiliath.mathom.us [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id oV9Ci0MwwV41; Tue, 23 Jun 2015 13:48:01 -0400 (EDT)
Received: by osgiliath.mathom.us (Postfix, from userid 1000)
 id 882296E540; Tue, 23 Jun 2015 13:48:01 -0400 (EDT)
Date: Tue, 23 Jun 2015 13:48:01 -0400
From: Michael Stone <mstone@HIDDEN>
To: =?iso-8859-1?Q?P=E1draig?= Brady <P@HIDDEN>,
 Andreas =?iso-8859-1?Q?Gr=FCnbacher?= <andreas.gruenbacher@HIDDEN>
Subject: Re: bug#20884: copying NFS4 ACLs portably
Message-ID: <9510c274-19cd-11e5-9b6a-00163eeb5320@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHpGcMLeRg+AStbA=aTg_01b0RQfcjD74sYDC-bODD_W8=A45g@HIDDEN>
 <55898BB2.10101@HIDDEN>
X-Pgp-Fingerprint: 02D5 315F F11F 1861 860E  1E02 F61A ACDC FA11 FFDE
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Spam-Score: -3.7 (---)
X-Debbugs-Envelope-To: 20884
X-Mailman-Approved-At: Tue, 23 Jun 2015 13:53:29 -0400
Cc: 20884 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.7 (---)

On Tue, Jun 23, 2015 at 05:39:14PM +0100, Pádraig Brady wrote:
>There have been recent changes in this area,
>so we need to know the version to help determine
>if this is a regression or was always an issue.

8.23, 8.13

On Tue, Jun 23, 2015 at 07:05:43PM +0200, Andreas Grünbacher wrote:
>I assume we are talking about a Linux client with NFSv4 in all cases.
>If so, then
>the Solaris code isn't going to be used.

Yes

>What does strace show?

relevant chunk of cp -a:

stat("tacl3", {st_mode=S_IFREG|0674, st_size=0, ...}) = 0
lstat("tacl", {st_mode=S_IFREG|0674, st_size=0, ...}) = 0
stat("tacl3", {st_mode=S_IFREG|0674, st_size=0, ...}) = 0
open("tacl", O_RDONLY|O_NOFOLLOW)       = 3
fstat(3, {st_mode=S_IFREG|0674, st_size=0, ...}) = 0
open("tacl3", O_WRONLY|O_TRUNC)         = 4
fstat(4, {st_mode=S_IFREG|0674, st_size=0, ...}) = 0
fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0
mmap(NULL, 1056768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fecce606000
read(3, "", 1048576)                    = 0
utimensat(4, NULL, {{1434994892, 275947301}, {1434994892, 275947301}}, 0) = 0
flistxattr(3, NULL, 0)                  = 16
flistxattr(3, "system.nfs4_acl\0", 16)  = 16
open("/etc/xattr.conf", O_RDONLY)       = -1 ENOENT (No such file or directory)
fgetxattr(3, "system.nfs4_acl", 0x0, 0) = 144
fgetxattr(3, "system.nfs4_acl", "\0\0\0\6\0\0\0\1\0\0\0\0\0\0\0 \0\0\0\6OWNER@\0\0\0\0\0\0\0\0\0\0\0\26\1\207\0\0\0\6OWNER@\0\0\0\0\0\1\0\0\0\0\0\0\0\6\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\241\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\207\0\0\0\6GROUP@\0\0\0\0\0\0\0\0\0\0\0\22\0\201\0\0\0\tEVERYONE@\0\0", 144) = 144
fsetxattr(4, "system.nfs4_acl", "\0\0\0\6\0\0\0\1\0\0\0\0\0\0\0 \0\0\0\6OWNER@\0\0\0\0\0\0\0\0\0\0\0\26\1\207\0\0\0\6OWNER@\0\0\0\0\0\1\0\0\0\0\0\0\0\6\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\241\0\0\0\0041004\0\0\0\0\0\0\0\0\0\22\0\207\0\0\0\6GROUP@\0\0\0\0\0\0\0\0\0\0\0\22\0\201\0\0\0\tEVERYONE@\0\0", 144, 0) = 0
fgetxattr(3, "system.posix_acl_access", 0x7ffe9352d7d0, 132) = -1 EOPNOTSUPP (Operation not supported)
fsetxattr(4, "system.posix_acl_access", "\2\0\0\0\1\0\6\0\377\377\377\377\4\0\7\0\377\377\377\377 \0\4\0\377\377\377\377", 28, 0) = -1 EOPNOTSUPP (Operation not supported)
fchmod(4, 0100674)                      = 0

cp --preserve=xattr has the same system.nfs4_acl lines but lacks the 
system.posix_acl_access lines and the fchmod.

>A chmod / fchmod shouldn't clear the acl, it should only disable the permissions
>not allowed by the mode. IIRC Solaris has some weird configuration knobs for
>those kinds of things though.

That was my reading of acl(5) on solaris, but it doesn't seem to be 
what's actually happening. (At least on openindiana.)

>That would be a misbehavior / misconfiguration; --preserve=xattr should affect
>non-permission xattrs only. Which attributes are permissions and which
>are not is
>configured in /etc/xattr.conf.

Well, I can confirm that if system.nfs4_acl is configured as 
"permissions" in /etc/xattr.conf that cp ignores it entirely. So if the 
almost-desired behavior was a side effect, then I guess this whole thing 
is stuck in the old controversy about whether the acl library should 
support nfs4 acls?

Mike Stone

Message received at 20884 <at> debbugs.gnu.org:

Received: (at 20884) by debbugs.gnu.org; 23 Jun 2015 17:05:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 13:05:52 2015
Received: from localhost ([127.0.0.1]:55527 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7Rdv-0006Sb-Ov
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 13:05:52 -0400
Received: from mail-vn0-f54.google.com ([209.85.216.54]:36213)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <andreas.gruenbacher@HIDDEN>) id 1Z7Rds-0006SN-WF
 for 20884 <at> debbugs.gnu.org; Tue, 23 Jun 2015 13:05:50 -0400
Received: by vnbg1 with SMTP id g1so2506019vnb.3
 for <20884 <at> debbugs.gnu.org>; Tue, 23 Jun 2015 10:05:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type:content-transfer-encoding;
 bh=oYHS7RsBRwDahKnc0W5Hj+vcgJ17uMQxHDCaU94EW9Y=;
 b=aUEGBPM6aOAZSLO6TlVIBe8rwFNk0DgdyrOh/63CLopC+lZHqlJwCVqKIon7H/3Pc8
 s8tt57LIEcsMW0hPWHF0is4+vimwU5gd+iQ28X34KIHIcPZ9ZcneitpP9Et8MjgDljH/
 9EqVhM/ruWaJ6q9b0UzwfpdEXXA1nOPa67vLQu2M8cdUyuKa0JLjW9bTF/i9Gv38ygRr
 L0e/d01iawaoghuArwJN2j4BifdcuYliSiM5RMbosm75zWmDTiwmlEgPtJ/gVcrqcmYM
 izvXQxWwviksFf2LWEuPrCPB2X6Ebj/KZ5MAKRty8ihP/5SupnqraAtZ3S9iQ9BapAUp
 rbBA==
MIME-Version: 1.0
X-Received: by 10.52.230.200 with SMTP id ta8mr15239842vdc.15.1435079143509;
 Tue, 23 Jun 2015 10:05:43 -0700 (PDT)
Received: by 10.31.170.216 with HTTP; Tue, 23 Jun 2015 10:05:43 -0700 (PDT)
In-Reply-To: <55898BB2.10101@HIDDEN>
References: <de5c11a0-19bd-11e5-9b6a-00163eeb5320@HIDDEN>
 <55898BB2.10101@HIDDEN>
Date: Tue, 23 Jun 2015 19:05:43 +0200
Message-ID: <CAHpGcMLeRg+AStbA=aTg_01b0RQfcjD74sYDC-bODD_W8=A45g@HIDDEN>
Subject: Re: bug#20884: copying NFS4 ACLs portably
From: =?UTF-8?Q?Andreas_Gr=C3=BCnbacher?= <andreas.gruenbacher@HIDDEN>
To: =?UTF-8?Q?P=C3=A1draig_Brady?= <P@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 20884
Cc: 20884 <at> debbugs.gnu.org, Michael Stone <mstone@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

I assume we are talking about a Linux client with NFSv4 in all cases.
If so, then
the Solaris code isn't going to be used.

What does strace show?

2015-06-23 18:39 GMT+02:00 P=C3=A1draig Brady <P@HIDDEN>:
>
> On 23/06/15 17:02, Michael Stone wrote:
> > I'm looking for some information before I run too far down this rathole=
.
> > Currently cp --preserve=3Dall will attempt to preserve both the unix mo=
des and
> > any ACL on a file. This seems to be working entirely as expected with a
> > linux NFS4 client & server. If I attempt the same using a solaris
> > server, the new file does not have the ACL. The problem appears to be
> > that the fchmod run after the ACL is copied clears the ACL.

A chmod / fchmod shouldn't clear the acl, it should only disable the permis=
sions
not allowed by the mode. IIRC Solaris has some weird configuration knobs fo=
r
those kinds of things though.

Recent coreutils should usually only chmod to set the suid, sgid, or
stick flags,
or when setting acls doesn't work.

> If cp --preserve=3Dxattr is used instead, then the ACL is preserved.

That would be a misbehavior / misconfiguration; --preserve=3Dxattr should a=
ffect
non-permission xattrs only. Which attributes are permissions and which
are not is
configured in /etc/xattr.conf.

Andreas

Message received at 20884 <at> debbugs.gnu.org:

Received: (at 20884) by debbugs.gnu.org; 23 Jun 2015 16:39:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 12:39:25 2015
Received: from localhost ([127.0.0.1]:55519 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7REK-0005pU-2f
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 12:39:24 -0400
Received: from mail2.vodafone.ie ([213.233.128.44]:30464)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <P@HIDDEN>) id 1Z7REH-0005pG-G7
 for 20884 <at> debbugs.gnu.org; Tue, 23 Jun 2015 12:39:22 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhwFAPuKiVVtTN8u/2dsb2JhbABbgxDELIJUAoFNTAEBAQEBAYELhCMBAQQyAVYLDQEKCSUPAkYGAQwIAQGILwG8HpBiASuLSoQ7UoQrBZN/lByPaiaDez2CeQEBAQ
Received: from unknown (HELO localhost.localdomain) ([109.76.223.46])
 by mail2.vodafone.ie with ESMTP; 23 Jun 2015 17:39:15 +0100
Message-ID: <55898BB2.10101@HIDDEN>
Date: Tue, 23 Jun 2015 17:39:14 +0100
From: =?windows-1252?Q?P=E1draig_Brady?= <P@HIDDEN>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Michael Stone <mstone@HIDDEN>, 20884 <at> debbugs.gnu.org, 
 Andreas Gruenbacher <andreas.gruenbacher@HIDDEN>
Subject: Re: bug#20884: copying NFS4 ACLs portably
References: <de5c11a0-19bd-11e5-9b6a-00163eeb5320@HIDDEN>
In-Reply-To: <de5c11a0-19bd-11e5-9b6a-00163eeb5320@HIDDEN>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 20884
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

On 23/06/15 17:02, Michael Stone wrote:
> I'm looking for some information before I run too far down this rathole. 
> Currently cp --preserve=all will attempt to preserve both the unix modes and 
> any ACL on a file. This seems to be working entirely as expected with a 
> linux NFS4 client & server. If I attempt the same using a solaris 
> server, the new file does not have the ACL. The problem appears to be 
> that the fchmod run after the ACL is copied clears the ACL. If cp 
> --preserve=xattr is used instead, then the ACL is preserved.
> 
>>From the comments in the source it looks as though the fchmod is set 
> after the xattrs are copied because the unix mode could interfere with 
> setting the xattrs. It's also possible that setting the mode before the 
> ACL could open up more permissions than desired. OTOH, blowing the ACL 
> away doesn't seem useful either. Since the issue arises on an NFS mount, 
> I don't see an obvious way to tailor the behavior to the platform. 
> 
> Am I missing anything in this diagnosis? Has this already been hashed 
> out (my google-fu is too weak to find relevant hits)? 
> 
> Mike Stone

There have been recent changes in this area,
so we need to know the version to help determine
if this is a regression or was always an issue.

Though the recent refactoring in this area in gnulib stated:

  "The Solaris and Cygwin code still uses duplicate code paths for setting
   a file mode while making sure that no acls exist and setting an explicit
   acl; this is no worse than before, but could be cleaned up. "

thanks,
Pádraig.

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 23 Jun 2015 16:02:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 23 12:02:38 2015
Received: from localhost ([127.0.0.1]:55505 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Z7Qej-0004ZD-GN
	for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 12:02:38 -0400
Received: from eggs.gnu.org ([208.118.235.92]:56844)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <mstone@HIDDEN>) id 1Z7Qeh-0004Vk-9v
 for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 12:02:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mstone@HIDDEN>) id 1Z7QeY-0004be-7i
 for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 12:02:29 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:48868)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mstone@HIDDEN>) id 1Z7QeY-0004ba-5m
 for submit <at> debbugs.gnu.org; Tue, 23 Jun 2015 12:02:26 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42034)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mstone@HIDDEN>) id 1Z7QeT-0006sH-U6
 for bug-coreutils@HIDDEN; Tue, 23 Jun 2015 12:02:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mstone@HIDDEN>) id 1Z7QeQ-0004Yh-4M
 for bug-coreutils@HIDDEN; Tue, 23 Jun 2015 12:02:21 -0400
Received: from harad.mathom.us ([54.218.24.45]:40496)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mstone@HIDDEN>) id 1Z7QeP-0004X1-Va
 for bug-coreutils@HIDDEN; Tue, 23 Jun 2015 12:02:18 -0400
Received: from osgiliath.mathom.us (osgiliath.mathom.us
 [IPv6:2001:4830:1614:2341::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by harad.mathom.us (Postfix) with ESMTPS id EC719C
 for <bug-coreutils@HIDDEN>; Tue, 23 Jun 2015 16:02:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by osgiliath.mathom.us (Postfix) with ESMTP id 901956E49E
 for <bug-coreutils@HIDDEN>; Tue, 23 Jun 2015 12:02:03 -0400 (EDT)
Received: from osgiliath.mathom.us ([127.0.0.1])
 by localhost (osgiliath.mathom.us [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id zHu0nbAeh37h for <bug-coreutils@HIDDEN>;
 Tue, 23 Jun 2015 12:02:03 -0400 (EDT)
Received: by osgiliath.mathom.us (Postfix, from userid 1000)
 id 5F94F6E7A3; Tue, 23 Jun 2015 12:02:03 -0400 (EDT)
Date: Tue, 23 Jun 2015 12:02:03 -0400
From: Michael Stone <mstone@HIDDEN>
To: bug-coreutils@HIDDEN
Subject: copying NFS4 ACLs portably
Message-ID: <de5c11a0-19bd-11e5-9b6a-00163eeb5320@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
X-Pgp-Fingerprint: 02D5 315F F11F 1861 860E  1E02 F61A ACDC FA11 FFDE
User-Agent: Mutt/1.5.23 (2014-03-12)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

I'm looking for some information before I run too far down this rathole. 
Currently cp --preserve=all will attempt to preserve both the unix modes and 
any ACL on a file. This seems to be working entirely as expected with a 
linux NFS4 client & server. If I attempt the same using a solaris 
server, the new file does not have the ACL. The problem appears to be 
that the fchmod run after the ACL is copied clears the ACL. If cp 
--preserve=xattr is used instead, then the ACL is preserved.

From the comments in the source it looks as though the fchmod is set 
after the xattrs are copied because the unix mode could interfere with 
setting the xattrs. It's also possible that setting the mode before the 
ACL could open up more permissions than desired. OTOH, blowing the ACL 
away doesn't seem useful either. Since the issue arises on an NFS mount, 
I don't see an obvious way to tailor the behavior to the platform. 

Am I missing anything in this diagnosis? Has this already been hashed 
out (my google-fu is too weak to find relevant hits)? 

Mike Stone