Note that because the aclmode for this file is set to the
default mode, groupmask, user gozer does not have write_data permission on file.2 because the group permission
of the file does not allow it.
Note the inherit_only permission, which is applied when the file_inherit or dir_inherit flags are set, are used to
propagate the ACL through the directory structure. This means user gozer is only granted/denied
permission from the everyone@ permissions unless he is the owner of the file or a
member of the owning group of the file. For example:
# mkdir test2.dir/subdir.2
# ls -dv test2.dir/subdir.2
drwxr-xr-x+ 2 root root 2 Nov 4 15:00 test2.dir/subdir.2
0:user:gozer:read_data/write_data:allow:file_inherit/inherit_only
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
The following series of examples identify the file and directory ACLs applied
when both the file_inherit and dir_inherit flags
are set.
In the following example, user gozer is granted read, write,
and execute permissions that are inherited for newly created files and directories.
# chmod A+user:gozer:read_data/write_data/execute:allow:file_inherit/
dir_inherit test3.dir
# ls -dv test3.dir
drwxr-xr-x+ 2 root root 2 Nov 4 15:01 test3.dir
0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
:file_inherit/dir_inherit
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
touch test3.dir/file.3
# ls -v test3.dir/file.3
-rw-r--r--+ 1 root root 0 Nov 4 15:01 test3.dir/file.3
0:user:gozer:write_data/execute:deny
1:user:gozer:read_data/write_data/execute:allow
2:owner@:execute:deny
3:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
4:group@:write_data/append_data/execute:deny
5:group@:read_data:allow
6:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
|
In the above examples, since the permission bits of the parent directory for
group and other deny write and execute permissions, user gozer is denied write and
execute permissions. The default aclmode property is secure, which
means write_owner and write_acl permissions
are not inherited.
In the following example, user gozer is granted read, write, and execute permissions
that are inherited for newly created files, but are not propagated to subsequent contents
of the directory.
# chmod A+user:gozer:read_data/write_data/execute:allow:file_inherit/
no_propagate test4.dir
# ls -dv test4.dir
drwxr-xr-x+ 2 root root 2 Nov 4 15:04 test4.dir
0:user:gozer:read_data/write_data/execute:allow:file_inherit/no_propagate
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
When a new subdirectory is created, user gozer's read_data/write_data/execute permission for files are not propagated to the new sub4.dir directory.
# mkdir test4.dir/sub4.dir
# ls -dv test4.dir/sub4.dir
drwxr-xr-x+ 2 root root 2 Nov 4 15:06 test4.dir/sub4.dir
0:user:gozer:add_file/write_data:deny
1:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
2:owner@::deny
3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
Example 7-4 ACL Inheritance With ACL Mode Set to Passthrough
If the aclmode property on this file system is set to passthrough,
then user gozer would inherit the ACL applied on test4.dir above
for the newly created file.4 as follows:
# zfs set aclmode=passthrough tank/cindy
# touch test4.dir/file.4
# ls -v test4.dir/file.4
-rw-r--r--+ 1 root root 0 Nov 4 15:09 test4.dir/file.4
0:user:gozer:read_data/write_data/execute:allow
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
|
The above output illustrates that the read_data/write_data/execute:allow:file_inherit/dir_inherit ACL that was set on the parent directory, test4.dir,
is passed through to user gozer.
Example 7-5 ACL Inheritance With ACL Mode Set to Discard
If the aclmode property on a file system is set to discard,
then ACLs can be potentially discarded when the permission bits on a directory change.
For example:
# zfs set aclmode=discard tank/cindy
# chmod A+user:gozer:read_data/write_data/execute:allow:dir_inherit test5.dir
# ls -dv test5.dir
drwxr-xr-x+ 2 root root 2 Nov 4 15:10 test5.dir
0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
:dir_inherit
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
If, at a later time, you decide to tighten the permission bits on a directory,
the explicit ACL is discarded. For example:
# chmod 744 test5.dir
# ls -dv test5.dir
drwxr--r-- 2 root root 2 Nov 4 15:10 test5.dir
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data/execute:deny
3:group@:list_directory/read_data:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/execute/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl
/synchronize:allow
|
|