Previous versions of Solaris supported an ACL implementation that was primarily based on the POSIX-draft ACL specification. The POSIX-draft based ACLs are used to protect UFS files and are translated by versions of NFS prior to NFSv4.
With the introduction of NFSv4, a new ACL model fully supports the interoperability that NFSv4 offers between UNIX and non-UNIX clients. The new ACL implementation, as defined in the NFSv4 specification, provides much richer semantics that are based on NT-style ACLs.
The main differences of the new ACL model are as follows:
Based on the NFSv4 specification and similar to NT-style ACLs.
Provide much more granular set of access privileges. For more information, see Table 7–2.
Set and displayed with the chmod and ls commands rather than the setfacl and getfacl commands.
Provide richer inheritance semantics for designating how access privileges are applied from directory to subdirectories, and so on. For more information, see ACL Inheritance.
Both ACL models provide more fine-grained access control than is available with the standard file permissions. Much like POSIX-draft ACLs, the new ACLs are composed of multiple Access Control Entries (ACEs).
POSIX-draft style ACLs use a single entry to define what permissions are allowed and what permissions are denied. The new ACL model has two types of ACEs that affect access checking: ALLOW and DENY. As such, you cannot infer from any single ACE that defines a set of permissions whether or not the permissions that weren't defined in that ACE are allowed or denied.
Translation between NFSv4-style ACLs and POSIX-draft ACLs is as follows:
If you use any ACL-aware utility, such as the cp, mv, tar, cpio, or rcp commands, to transfer UFS files with ACLs to a ZFS file system, the POSIX-draft ACLs are translated into the equivalent NFSv4-style ACLs.
Some NFSv4-style ACLs are translated to POSIX-draft ACLs. You see a message similar to the following if an NFSv4–style ACL isn't translated to a POSIX-draft ACL:
# cp -p filea /var/tmp cp: failed to set acl entries on /var/tmp/filea
If you create a UFS tar or cpio archive with the preserve ACL option (tar –p or cpio –P) on a system that runs a current Solaris release, you will lose the ACLs when the archive is extracted on a system that runs a previous Solaris release.
All of the files are extracted with the correct file modes, but the ACL entries are ignored.
You can use the ufsrestore command to restore data into a ZFS file system. If the original data includes POSIX-style ACLs, they are converted to NFSv4-style ACLs.
If you attempt to set an NFSv4-style ACL on a UFS file, you see a message similar to the following:
chmod: ERROR: ACL type's are different
If you attempt to set a POSIX-style ACL on a ZFS file, you will see messages similar to the following:
# getfacl filea File system doesn't support aclent_t style ACL's. See acl(5) for more information on Solaris ACL support.
For information about other limitations with ACLs and backup products, see Saving ZFS Data With Other Backup Products.