| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris ZFS Administration Guide |
1. Oracle Solaris ZFS File System (Introduction)
2. Getting Started With Oracle Solaris ZFS
3. Oracle Solaris ZFS and Traditional File System Differences
4. Managing Oracle Solaris ZFS Storage Pools
5. Installing and Booting an Oracle Solaris ZFS Root File System
6. Managing Oracle Solaris ZFS File Systems
7. Working With Oracle Solaris ZFS Snapshots and Clones
8. Using ACLs to Protect Oracle Solaris ZFS Files
Syntax Descriptions for Setting ACLs
Setting and Displaying ACLs on ZFS Files in Verbose Format
Setting ACL Inheritance on ZFS Files in Verbose Format
9. Oracle Solaris ZFS Delegated Administration
10. Oracle Solaris ZFS Advanced Topics
11. Oracle Solaris ZFS Troubleshooting and Pool Recovery
You can set and display permissions on ZFS files in a compact format that uses 14 unique letters to represent the permissions. The letters that represent the compact permissions are listed in Table 8-2 and Table 8-3.
You can display compact ACL listings for files and directories by using the ls -V command. For example:
# ls -V file.1
-rw-r--r-- 1 root root 206663 Jun 17 10:07 file.1
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
This compact ACL output is described as follows:
The owner is denied execute permissions on the file (x=execute).
The owner can read and modify the contents of the file (rw=read_data/write_data, p=append_data). The owner can also modify the file's attributes such as time stamps, extended attributes, and ACLs (A=write_xattr, W=write_attributes, and C=write_acl). In addition, the owner can modify the ownership of the file (o=write_owner).
The group is denied modify and execute permissions on the file (write_data, p=append_data, and x=execute).
The group is granted read permissions on the file (r=read_data).
Everyone who is not the owner of the file or a member of the owning group of the file is denied permission to execute or modify the contents of the file, and to modify any attributes of the file (w=write_data, x=execute, p=append_data, A=write_xattr, W=write_attributes, C=write_acl, and o=write_owner).
Everyone who is not the owner of the file or a member of the owning group of the file on the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize). The synchronize access permission is not currently implemented.
The compact ACL format provides the following advantages over the verbose ACL format:
Permissions can be specified as positional arguments to the chmod command.
The hyphen (-) characters, which identify no permissions, can be removed. Only the required letters need to be specified.
Both permissions and inheritance flags are set in the same fashion.
For information about using the verbose ACL format, see Setting and Displaying ACLs on ZFS Files in Verbose Format.
Example 8-10 Setting and Displaying ACLs in Compact Format
In the following example, a trivial ACL exists on file.1:
# ls -V file.1
-rw-r--r-- 1 root root 206663 Jun 17 10:07 file.1
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
In the following example, read_data/execute permissions are added for user gozer on file.1:
# chmod A+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r--r--+ 1 root root 206663 Jun 17 10:07 file.1
user:gozer:r-x-----------:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
Another way to add the same permissions for user gozer is to insert a new ACL entry at a specific position, 4, for example. As such, the existing ACLs at positions 4–6 are pushed down. For example:
# chmod A4+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r--r--+ 1 root root 206663 Jun 17 10:16 file.1
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
user:gozer:r-x-----------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files and directories.
# chmod A+user:gozer:rwx:fd:allow dir.2
# ls -dV dir.2
drwxr-xr-x+ 2 root root 2 Jun 17 10:19 dir.2
user:gozer:rwx-----------:fd----:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
You can also cut and paste permissions and inheritance flags from the ls -V output into the compact chmod format. For example, to duplicate the permissions and inheritance flags on the dir.2 directory for user gozer to user cindys on dir.2, copy and paste the permissions and inheritance flags (rwx-----------:fd----:allow) into your chmod command as follows:
# chmod A+user:cindys:rwx-----------:fd----:allow dir.2
# ls -dV dir.2
drwxr-xr-x+ 2 root root 2 Jun 17 10:19 dir.2
user:cindys:rwx-----------:fd----:allow
user:gozer:rwx-----------:fd----:allow
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allowExample 8-11 ACL Inheritance With the aclinherit Property Set to passthrough
A file system that has the aclinherit property set to passthrough inherits all inheritable ACL entries without any modifications made to the ACL entries when they are inherited. When this property is set to passthrough, files are created with a permissions that are determined by the inheritable ACEs. If no inheritable ACEs exist that affect the permissions, then the permissions are set in accordance to the requested permissions from the application.
The following examples use compact ACL syntax to show how to inherit permissions by setting the aclinherit property to passthrough.
In this example, an ACL is set on the test1.dir directory to force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly created files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry. Additionally, directories inherit six other ACEs that propagate the ACEs to the newly created directories and files.
# zfs set aclinherit=passthrough tank/cindys # pwd /tank/cindys # mkdir test1.dir
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow
test1.dir
# ls -Vd test1.dir
drwxrwx---+ 2 root root 2 Jun 17 10:37 test1.dir
owner@:rwxpdDaARWcCos:fd----:allow
group@:rwxp----------:fd----:allow
everyone@:--------------:fd----:allow
In this example, a newly created file inherits the ACL that was specified to be inherited by the newly created files.
# cd test1.dir
# touch file.1
# ls -V file.1
-rwxrwx---+ 1 root root 0 Jun 17 10:38 file.1
owner@:rwxpdDaARWcCos:------:allow
group@:rwxp----------:------:allow
everyone@:--------------:------:allow
In this example, a newly created directory inherits both ACEs that control access to this directory as well as ACEs for future propagation to children of the newly created directory.
# mkdir subdir.1
# ls -dV subdir.1
drwxrwx---+ 2 root root 2 Jun 17 10:39 subdir.1
owner@:rwxpdDaARWcCos:fdi---:allow
owner@:rwxpdDaARWcCos:------:allow
group@:rwxp----------:fdi---:allow
group@:rwxp----------:------:allow
everyone@:--------------:fdi---:allow
everyone@:--------------:------:allow
The -di-- and f-i--- entries are for propagating inheritance and are not considered during access control. In this example, a file is created with a trivial ACL in another directory where inherited ACEs are not present.
# cd /tank/cindys
# mkdir test2.dir
# cd test2.dir
# touch file.2
# ls -V file.2
-rw-r--r-- 1 root root 0 Jun 17 10:40 file.2
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allowExample 8-12 ACL Inheritance With the aclinherit Property Set to passthrough-x
When aclinherit property is set to passthrough-x, files are created with the execute (x) permission for owner@, group@, or everyone@, but only if execute permission is set in file creation mode and in an inheritable ACE that affects the mode.
The following example shows how to inherit the execute permission by setting the aclinherit property to passthrough-x.
# zfs set aclinherit=passthrough-x tank/cindys
The following ACL is set on /tank/cindys/test1.dir to provide executable ACL inheritance for files for owner@, group@, and everyone@.
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow test1.dir
# ls -Vd test1.dir
drwxrwx---+ 2 root root 2 Jun 17 10:41 test1.dir
owner@:rwxpdDaARWcCos:fd----:allow
group@:rwxp----------:fd----:allow
everyone@:--------------:fd----:allow
A file (file1) is created with requested permissions 0666. The resulting permissions are 0660. The execution permission was not inherited because the creation mode did not request it.
# touch test1.dir/file1
# ls -V test1.dir/file1
-rw-rw----+ 1 root root 0 Jun 17 10:42 test1.dir/file1
owner@:rw-pdDaARWcCos:------:allow
group@:rw-p----------:------:allow
everyone@:--------------:------:allow
Next, an executable called t is generated by using the cc compiler in the testdir directory.
# cc -o t t.c
# ls -V t
-rwxrwx---+ 1 root root 7396 Jun 17 10:50 t
owner@:rwxpdDaARWcCos:------:allow
group@:rwxp----------:------:allow
everyone@:--------------:------:allow
The resulting permissions are 0770 because cc requested permissions 0777, which caused the execute permission to be inherited from the owner@, group@, and everyone@ entries.
|