I want to enable ACLs for a FreeBSD 11 system. According to the FreeBSD Handbook this can be done in two ways:
-
By using a mount option —
mount -o acls -
By modifying a superblock —
tunefs -a enable
It says that it is preferable to use the second option, because:
The mount-time ACLs flag cannot be changed by a remount (mount(8) -u), only by means of a complete umount(8) and fresh mount(8). This means that ACLs cannot be enabled on the root file system after boot. It also means that you cannot change the disposition of a file system once it is in use.
Setting the superblock flag will cause the file system to always be mounted with ACLs enabled even if there is not an fstab entry or if the devices re-order. This prevents accidental mounting of the file system without ACLs enabled, which can result in ACLs being improperly enforced, and hence security problems.
From the tunefs man page:
The tunefs utility is designed to change the dynamic parameters of a UFS
file system which affect the layout policies. The tunefs utility cannot
be run on an active file system. To change an active file system, it
must be downgraded to read-only or unmounted.
The problem is that rootfs (/) can't be unmounted.
How can I run tunefs on the root filesystem?
Best Answer
You can forcibly remount the filesystem read-only:
The
rebootstep seems to be neccessary: first, remounting read-write (mount -uw /) doesn't pick up the ACL enable flag, and second, remounting read-only will break everything that wanted to write to disk (eg syslogd), so you're better off just rebooting at that point.