Created attachment 14322 [details]
vfs_zfsacl patch to set dacl protected if no entries in ACL are inherited
The option in File Explorer for disabling inheritance and converting inherited permissions into explicit permissions does not work with zfsacl enabled. The issue is trivial to reproduce, but I'm happy to provide pcaps and logs if they are required.
On FreeBSD this was a two-part fix. I already patched sysutils/libsunacl to expose ACE_INHERITED_ACE.
This patch adds a new configuration option for setting the dacl_protected control flag in the zfsacl vfs module, and defaults to preserving previous behavior. If ACE_INHERITED_ACE isn't present in the any of the members of the ACL, then set dacl_protected.
was fixed with 30f9e1dd596a0dc4894f17b07a7e2e58dcb75c16 in 2019 already
the fix here is not ideal as by evaluating only the ACE_INHERITED_ACE in the ACL you still never can simply disable the ACL4_PROTECTED bit.
Actually all NFS 4.0 implementations have this isse as ACL4_PROTECTED was introduced with NFSv4.1 only. Same like ACE_INHERITED_ACE actually.
Another idea might be to save the ACL4_PROTECTED bit as a dedicated but otherwise meaningless ACE, which Samba treats specially. A deny ACE for user root deny ACE4_SYNCHRONIZE for example is meaningless for a Unix system and this might be used as fallback storage space by Samba for the ACL4_PROTECTED bit.
*** Bug 10645 has been marked as a duplicate of this bug. ***
I have pending phabricator request on FreeBSD side to expose the RFC5661 ACL flags, which provides a proper solution.
FreeBSD is somewhat in between RFC3530 and RFC5661 in this respect (it has ACE_INHERITED_ACE, but not the flags).
In practice with Windows clients, I didn't see the combination of PROTECTED and INHERITED entries or for that matter AUTOINHERIT without any inherited.