Setting and Displaying ACLs on ZFS Files in Compact Format
You can set and display permissions on ZFS files in a compact format that uses 14 unique letters to represent the permissions. The letters that represent the compact permissions are listed in Table 8–2 and Table 8–3.
You can display compact ACL listings for files and directories by using the ls -V command. For example:
# ls -V file.1
-rw-r--r-- 1 root root 206674 Jul 29 10:27 file.1
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
The compact ACL output is described as follows:
- owner@
-
The owner is denied execute permissions to the file (x=execute).
- owner@
-
The owner can read and modify the contents of the file (rw=read_data/write_data), (p=append_data). The owner can also modify the file's attributes such as timestamps, extended attributes, and ACLs (A=write_xattr, W=write_attributes, C=write_acl). In addition, the owner can modify the ownership of the file (o=write_owner).
- group@
-
The group is denied modify and execute permissions to the file (write_data, p=append_data, and x=execute).
- group@
-
The group is granted read permissions to the file (r=read_data).
- everyone@
-
Everyone who is not user or group is denied permission to execute or modify the contents of the file, and to modify any attributes of the file (w=write_data, x=execute, p=append_data, A=write_xattr, W=write_attributes, C=write_acl, and o=write_owner).
- everyone@
-
Everyone who is not user or group is granted read permissions to the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize). The synchronize access permission is not currently implemented.
Compact ACL format provides the following advantages over verbose ACL format:
-
Permissions can be specified as positional arguments to the chmod command.
-
The hyphen (-) characters, which identify no permissions, can be removed and only the required letters need to be specified.
-
Both permissions and inheritance flags are set in the same fashion.
For information about using the verbose ACL format, see Setting and Displaying ACLs on ZFS Files in Verbose Format.
Example 8–11 Setting and Displaying ACLs in Compact Format
In the following example, a trivial ACL exists on file.1:
# ls -V file.1
-rw-r--r-- 1 root root 206674 Jul 29 10:27 file.1
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
In this example, read_data/execute permissions are added for the user gozer on file.1.
# chmod A+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r--r--+ 1 root root 206674 Jul 29 10:27 file.1
user:gozer:r-x-----------:-------:allow
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
Another way to add the same permissions for user gozer is to insert a new ACL at a specific position, 4, for example. As such, the existing ACLs at positions 4–6 are pushed down. For example:
# chmod A4+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r--r--+ 1 root root 206674 Jul 29 10:27 file.1
user:gozer:r-x-----------:-------:allow
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
user:gozer:r-x-----------:-------:allow
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files and directories by using the compact ACL format.
# chmod A+user:gozer:rwx:fd:allow dir.2
# ls -dV dir.2
drwxr-xr-x+ 2 root root 2 Jul 29 10:44 dir.2
user:gozer:rwx-----------:fd-----:allow
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
|
You can also cut and paste permissions and inheritance flags from the ls -V output into the compact chmod format. For example, to duplicate the permissions and inheritance flags on dir.2 for user gozer to user cindys on dir.2, copy and paste the permission and inheritance flags (rwx-----------:f------:allow) into your chmod command. For example:
# chmod A+user:cindys:rwx-----------:fd----:allow dir.2
# ls -dV dir.2
drwxr-xr-x+ 2 root root 2 Jul 29 10:44 dir.2
user:cindys:rwx-----------:fd-----:allow
user:gozer:rwx-----------:fd-----:allow
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
|
Example 8–12 ACL Inheritance With ACL Inherit Mode Set to Pass Through
A file system that has the aclinherit property set to passthrough inherits all inheritable ACL entries without any modifications made to the ACL entries when they are inherited. When this property is set to passthrough, files are created with a permission mode that is determined by the inheritable ACEs. If no inheritable ACEs exist that affect the permission mode, then the permission mode is set in accordance to the requested mode from the application.
The following examples use compact ACL syntax to show how to inherit permission bits by setting aclinherit mode to passthrough.
In this example, an ACL is set on test1.dir to force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly created files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry. Additionally, directories inherit 6 other ACEs that propagate the ACEs to newly created directories and files.
# zfs set aclinherit=passthrough tank/cindys # pwd /tank/cindys # mkdir test1.dir |
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow
test1.dir
# ls -Vd test1.dir
drwxrwx---+ 2 root root 2 Jun 20 15:26 test1.dir
owner@:rwxpdDaARWcCos:fd-----:allow
group@:rwxp----------:fd-----:allow
everyone@:--------------:fd-----:allow
|
In this example, a newly created file inherits the ACL that was specified to be inherited to newly created files.
# cd test1.dir
# touch file.1
# ls -V file.1
-rwxrwx---+ 1 root root 0 Jun 23 09:38 file.1
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxp----------:------I:allow
everyone@:--------------:------I:allow
|
In this example, a newly created directory inherits both ACEs that control access to this directory as well as ACEs for future propagation to children of the newly created directory.
# mkdir subdir.1
# ls -dV subdir.1
drwxrwx---+ 2 root root 2 Jun 23 09:41 subdir.1
owner@:rwxpdDaARWcCos:fdi---I:allow
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxp----------:fdi---I:allow
group@:rwxp----------:------I:allow
everyone@:--------------:fdi---I:allow
everyone@:--------------:------I:allow
|
The -di-- and f-i--- entries are for propagating inheritance and are not considered during access control. In this example, a file is created with a trivial ACL in another directory where inherited ACEs are not present.
# cd /tank/cindys
# mkdir test2.dir
# cd test2.dir
# touch file.2
# ls -V file.2
-rw-r--r-- 1 root root 0 Jun 23 09:50 file.2
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
|
Example 8–13 ACL Inheritance With ACL Inherit Mode Set to Pass Through-X
When aclinherit=passthrough-x is enabled, files are created with the execute (x) permission for owner@, group@, or everyone@, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The following example shows how to inherit the execute permission by setting aclinherit mode to passthrough-x.
# zfs set aclinherit=passthrough-x tank/cindys |
The following ACL is set on /tank/cindys/test1.dir to provide executable ACL inheritance for files for owner@,
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow test1.dir
# ls -Vd test1.dir
drwxrwx---+ 2 root root 2 Dec 3 15:16 test1.dir
owner@:rwxpdDaARWcCos:fd-----:allow
group@:rwxp----------:fd-----:allow
everyone@:--------------:fd-----:allow
|
A file (file1) is created with requested permissions 0666. The resulting permissions are 0660. The execution permission was not inherited because the creation mode did not request it.
# touch test1.dir/file1
# ls -V test1.dir/file1
-rw-rw----+ 1 root root 0 Dec 3 15:17 file.1
owner@:rw-pdDaARWcCos:------I:allow
group@:rw-p----------:------I:allow
everyone@:--------------:------I:allow
|
Next, an executable called t is generated by using the cc compiler in the testdir directory.
# cc -o t t.c
# ls -V t
-rwxrwx---+ 1 root root 7396 Dec 3 15:19 t
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxp----------:------I:allow
everyone@:--------------:------I:allow
|
# cc -o t t.c
# ls -V t
-rwxrwx---+ 1 root root 7396 Dec 3 15:19 t
owner@:rwxpdDaARWcCos:------:allow
group@:rwxp----------:------:allow
everyone@:--------------:------:allow
|
The resulting permissions are 0770 because cc requested permissions 0777, which caused the execute permission to be inherited from the owner@, group@, and everyone@ entries.
- © 2010, Oracle Corporation and/or its affiliates