Sun Microsystems
Products & Services
 
Support & Training
 
 

Previous Previous     Contents     Next Next

Note that because the aclmode for this file is set to the default mode, groupmask, user gozer does not have write_data permission on file.2 because the group permission of the file does not allow it.

Note the inherit_only permission, which is applied when the file_inherit or dir_inherit flags are set, are used to propagate the ACL through the directory structure. This means user gozer is only granted/denied permission from the everyone@ permissions unless he is the owner of the file or a member of the owning group of the file. For example:

# mkdir test2.dir/subdir.2
# ls -dv test2.dir/subdir.2
drwxr-xr-x+  2 root     root           2 Nov  4 15:00 test2.dir/subdir.2
     0:user:gozer:read_data/write_data:allow:file_inherit/inherit_only
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

The following series of examples identify the file and directory ACLs applied when both the file_inherit and dir_inherit flags are set.

In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files and directories.

# chmod A+user:gozer:read_data/write_data/execute:allow:file_inherit/
dir_inherit test3.dir
# ls -dv test3.dir
drwxr-xr-x+  2 root     root           2 Nov  4 15:01 test3.dir
     0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
         :file_inherit/dir_inherit
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

 touch test3.dir/file.3
# ls -v test3.dir/file.3
-rw-r--r--+  1 root     root           0 Nov  4 15:01 test3.dir/file.3
     0:user:gozer:write_data/execute:deny
     1:user:gozer:read_data/write_data/execute:allow
     2:owner@:execute:deny
     3:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     4:group@:write_data/append_data/execute:deny
     5:group@:read_data:allow
     6:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

In the above examples, since the permission bits of the parent directory for group and other deny write and execute permissions, user gozer is denied write and execute permissions. The default aclmode property is secure, which means write_owner and write_acl permissions are not inherited.

In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files, but are not propagated to subsequent contents of the directory.

# chmod A+user:gozer:read_data/write_data/execute:allow:file_inherit/
no_propagate test4.dir
# ls -dv test4.dir
drwxr-xr-x+  2 root     root           2 Nov  4 15:04 test4.dir
     0:user:gozer:read_data/write_data/execute:allow:file_inherit/no_propagate
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

When a new subdirectory is created, user gozer's read_data/write_data/execute permission for files are not propagated to the new sub4.dir directory.

# mkdir test4.dir/sub4.dir
# ls -dv test4.dir/sub4.dir
drwxr-xr-x+  2 root     root           2 Nov  4 15:06 test4.dir/sub4.dir
     0:user:gozer:add_file/write_data:deny
     1:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
     2:owner@::deny
     3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     4:group@:add_file/write_data/add_subdirectory/append_data:deny
     5:group@:list_directory/read_data/execute:allow
     6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

Example 7-4 ACL Inheritance With ACL Mode Set to Passthrough

If the aclmode property on this file system is set to passthrough, then user gozer would inherit the ACL applied on test4.dir above for the newly created file.4 as follows:

# zfs set aclmode=passthrough tank/cindy
# touch test4.dir/file.4
# ls -v test4.dir/file.4
-rw-r--r--+  1 root     root           0 Nov  4 15:09 test4.dir/file.4
     0:user:gozer:read_data/write_data/execute:allow
     1:owner@:execute:deny
     2:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     3:group@:write_data/append_data/execute:deny
     4:group@:read_data:allow
     5:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

The above output illustrates that the read_data/write_data/execute:allow:file_inherit/dir_inherit ACL that was set on the parent directory, test4.dir, is passed through to user gozer.

Example 7-5 ACL Inheritance With ACL Mode Set to Discard

If the aclmode property on a file system is set to discard, then ACLs can be potentially discarded when the permission bits on a directory change. For example:

# zfs set aclmode=discard tank/cindy
# chmod A+user:gozer:read_data/write_data/execute:allow:dir_inherit test5.dir
# ls -dv test5.dir
drwxr-xr-x+  2 root     root           2 Nov  4 15:10 test5.dir
     0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
         :dir_inherit
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

If, at a later time, you decide to tighten the permission bits on a directory, the explicit ACL is discarded. For example:

# chmod 744 test5.dir
# ls -dv test5.dir
drwxr--r--   2 root     root           2 Nov  4 15:10 test5.dir
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@:add_file/write_data/add_subdirectory/append_data/execute:deny
     3:group@:list_directory/read_data:allow
     4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /execute/write_attributes/write_acl/write_owner:deny
     5:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl
         /synchronize:allow

Previous Previous     Contents     Next Next