Solaris ZFS Administration Guide

Syntax Descriptions for Setting ACLs

Two basic ACL formats are provided as follows:

Syntax for Setting Trivial ACLs

chmod [options] A[index]{+|=}owner@ |group@ |everyone@:access-permissions/...[:inheritance-flags]:deny | allow file

chmod [options] A-owner@, group@, everyone@:access-permissions/...[:inheritance-flags]:deny | allow file ...

chmod [options] A[index]- file

Syntax for Setting Non-Trivial ACLs

chmod [options] A[index]{+|=}user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file

chmod [options] A-user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file ...

chmod [options] A[index]- file

owner@, group@, everyone@

Identifies the ACL-entry-type for trivial ACL syntax. For a description of ACL-entry-types, see Table 8–1.

user or group:ACL-entry-ID=username or groupname

Identifies the ACL-entry-type for explicit ACL syntax. The user and group ACL-entry-type must also contain the ACL-entry-ID, username or groupname. For a description of ACL-entry-types, see Table 8–1.


Identifies the access permissions that are granted or denied. For a description of ACL access privileges, see Table 8–2.


Identifies an optional list of ACL inheritance flags. For a description of the ACL inheritance flags, see Table 8–3.

deny | allow

Identifies whether the access permissions are granted or denied.

In the following example, the ACL-entry-ID value is not relevant.


The following example includes an ACL-entry-ID because a specific user (ACL-entry-type) is included in the ACL.


When an ACL entry is displayed, it looks similar to the following:


The 2 or the index-ID designation in this example identifies the ACL entry in the larger ACL, which might have multiple entries for owner, specific UIDs, group, and everyone. You can specify the index-ID with the chmod command to identify which part of the ACL you want to modify. For example, you can identify index ID 3 as A3 to the chmod command, similar to the following:

chmod A3=user:venkman:read_acl:allow filename

ACL entry types, which are the ACL representations of owner, group, and other, are described in the following table.

Table 8–1 ACL Entry Types

ACL Entry Type 



Specifies the access granted to the owner of the object. 


Specifies the access granted to the owning group of the object. 


Specifies the access granted to any user or group that does not match any other ACL entry. 


With a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid.


With a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid.

ACL access privileges are described in the following table.

Table 8–2 ACL Access Privileges

Access Privilege 

Compact Access Privilege 



Permission to add a new file to a directory. 


On a directory, permission to create a subdirectory. 


Placeholder. Not currently implemented. 


Permission to delete a file. 


Permission to delete a file or directory within a directory. 


Permission to execute a file or search the contents of a directory. 


Permission to list the contents of a directory. 


Permission to read the ACL (ls).


Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).


Permission to read the contents of the file. 


Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. 


Placeholder. Not currently implemented. 


Permission to create extended attributes or write to the extended attributes directory. 

Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. 


Permission to modify or replace the contents of a file. 


Permission to change the times associated with a file or directory to an arbitrary value. 


Permission to write the ACL or the ability to modify the ACL by using the chmod command.


Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.

Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.


The following ACL combinations can be applied in an ACL set rather than setting individual permissions separately. The following ACL sets are available.

ACL Set Name 

Included ACL Permissions 


All permissions 


all permissions except write_acl and write_owner


read_data, read_attributes, read_xattr, and read_acl


write_data, append_data, write_attributes, and write_xattr

These ACL sets are prefined and cannot be modified.