A ZFS file system has two properties related to ACLs.
aclinherit – This property determines the behavior of ACL inheritance. Values include the following:
discard – For new objects, no ACL entries are inherited when a file or directory is created. The ACL on the new file or directory is equal to the permissions of the file or directory.
noallow – For new objects, only inheritable ACL entries that have an access type of deny are inherited.
restricted – For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
passthrough – When the property value is set to passthrough, files are created with permissions determined by the inheritable ACEs. If no inheritable ACEs exist that affect the permissions, then the permissions are set in accordance to the requested permissions from the application.
passthrough-x – This property value has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if the execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The default value for the aclinherit property is restricted.
aclmode – This property modifies ACL behavior when a file is initially created or whenever a file or directory's permissions are modified by the chmod command. Values include the following:
discard – All ACL entries are removed except for the entries needed to define the mode of the file or directory.
groupmask – User or group ACL permissions are reduced so that they are no greater than the group permissions, unless it is a user entry that has the same UID as the owner of the file or directory. Then, the ACL permissions are reduced so that they are no greater than the owner permissions.
passthrough – During a chmod operation, ACEs other than owner@, group@, or everyone@ are not modified in any way. ACEs with owner@, group@, or everyone@ are disabled to set the file mode as requested by the chmod operation.
The default value for the aclmode property is groupmask.