If "create files/write data" is selected via the windows security advanced tab, the zfs vfs module allows deletion. Here are the permissions with some read attributes checked: root@rieekan:/raid/dropbox$ ls -ldV . dr-xr-xr-x+ 2 root 10000 2 Mar 5 10:41 . everyone@:r-x---a---c--s:------:allow If "Create files/write data" is selected then "w" is added: drwxrwxrwx+ 2 root 10000 2 Mar 5 10:41 . everyone@:rwx---a---c--s:------:allow Here are the permissions with read as well as delete subfolders and files: root@rieekan:/raid/dropbox$ ls -ldV . dr-xr-xr-x+ 2 root 10000 2 Mar 5 10:41 . everyone@:r-x--Da---c--s:------:allow Basically, the "w" permission is allowing file/folder deletion, but this should be set by the "D" permission of allowing deletes.
Are you talking about setting the "w" bit on a directory, or on a file here. If it's on a directory then setting "w" allows deletes of the directory contents (from POSIX). The acl module only maps the ACLs, it's still the underlying OS that allows the deletion or not, and due to POSIX permissions whoever has "w" permissions on a directory can delete the contents. If I'm not understanding what the problem is here please clarify for me. I want the ZFS/NFS4 ACLs to map as correctly as possible. Thanks, Jeremy.
Yep you are right. Sorry for the noise. It seems that "w" on a directory still allows deletion of files inside the directory, even though d and D seem to exist for exactly that purpose. Since ZFS is still attempting to make the native nfsv4 acl model work with a posix os, I guess I'll have to learn a bit more about how this all works.
If you add an explicit "deny" delete ACE entry on the directory ACL, this should override the delete permission for that user and Samba should show that. Jeremy.