Skip Navigation Links | |
Exit Print View | |
Oracle Solaris ZFS Administration Guide Oracle Solaris 10 8/11 Information Library |
1. Oracle Solaris ZFS File System (Introduction)
2. Getting Started With Oracle Solaris ZFS
3. Oracle Solaris ZFS and Traditional File System Differences
4. Managing Oracle Solaris ZFS Storage Pools
5. Installing and Booting an Oracle Solaris ZFS Root File System
6. Managing Oracle Solaris ZFS File Systems
7. Working With Oracle Solaris ZFS Snapshots and Clones
8. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
Syntax Descriptions for Setting ACLs
Setting and Displaying ACLs on ZFS Files in Verbose Format
Setting ACL Inheritance on ZFS Files in Verbose Format
9. Oracle Solaris ZFS Delegated Administration
10. Oracle Solaris ZFS Advanced Topics
11. Oracle Solaris ZFS Troubleshooting and Pool Recovery
12. Recommended Oracle Solaris ZFS Practices
You can set and display permissions on ZFS files in a compact format that uses 14 unique letters to represent the permissions. The letters that represent the compact permissions are listed in Table 8-2 and Table 8-3.
You can display compact ACL listings for files and directories by using the ls -V command. For example:
# ls -V file.1 -rw-r--r-- 1 root root 206663 Jun 23 15:06 file.1 owner@:rw-p--aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow
The compact ACL output is described as follows:
The owner can read and modify the contents of the file (rw=read_data/write_data), (p=append_data). The owner can also modify the file's attributes such as timestamps, extended attributes, and ACLs (a=read_attributes, W=write_xattr, R=read_xattr, A=write_attributes, c=read_acl, C=write_acl). In addition, the owner can modify the ownership of the file (o=write_owner).
The synchronize access permission is not currently implemented.
The group is granted read permissions to the file (r=read_data) and the file's attributes (a=read_attributes, R=read_xattr, c=read_acl).
The synchronize access permission is not currently implemented.
Everyone who is not user or group is granted read permissions to the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize).
The synchronize access permission is not currently implemented.
Compact ACL format provides the following advantages over verbose ACL format:
Permissions can be specified as positional arguments to the chmod command.
The hyphen (-) characters, which identify no permissions, can be removed and only the required letters need to be specified.
Both permissions and inheritance flags are set in the same fashion.
For information about using the verbose ACL format, see Setting and Displaying ACLs on ZFS Files in Verbose Format.
Example 8-10 Setting and Displaying ACLs in Compact Format
In the following example, a trivial ACL exists on file.1:
# ls -V file.1 -rw-r--r-- 1 root root 206663 Jun 23 15:06 file.1 owner@:rw-p--aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow
In this example, read_data/execute permissions are added for the user gozer on file.1.
# chmod A+user:gozer:rx:allow file.1 # ls -V file.1 -rw-r--r--+ 1 root root 206663 Jun 23 15:06 file.1 user:gozer:r-x-----------:------:allow owner@:rw-p--aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow
In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files and directories by using the compact ACL format.
# chmod A+user:gozer:rwx:fd:allow dir.2 # ls -dV dir.2 drwxr-xr-x+ 2 root root 2 Jun 23 16:04 dir.2 user:gozer:rwx-----------:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow
You can also cut and paste permissions and inheritance flags from the ls -V output into the compact chmod format. For example, to duplicate the permissions and inheritance flags on dir.2 for user gozer to user cindy on dir.2, copy and paste the permission and inheritance flags (rwx-----------:fd----:allow) into your chmod command. For example:
# chmod A+user:cindy:rwx-----------:fd----:allow dir.2 # ls -dV dir.2 drwxr-xr-x+ 2 root root 2 Jun 23 16:04 dir.2 user:cindy:rwx-----------:fd----:allow user:gozer:rwx-----------:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow
Example 8-11 ACL Inheritance With ACL Inherit Mode Set to Pass Through
A file system that has the aclinherit property set to passthrough inherits all inheritable ACL entries without any modifications made to the ACL entries when they are inherited. When this property is set to passthrough, files are created with a permission mode that is determined by the inheritable ACEs. If no inheritable ACEs exist that affect the permission mode, then the permission mode is set in accordance to the requested mode from the application.
The following examples use compact ACL syntax to show how to inherit permission bits by setting aclinherit mode to passthrough.
In this example, an ACL is set on test1.dir to force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly created files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry.
# zfs set aclinherit=passthrough tank/cindy # pwd /tank/cindy # mkdir test1.dir
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow test1.dir # ls -Vd test1.dir drwxrwx---+ 2 root root 2 Jun 23 16:10 test1.dir owner@:rwxpdDaARWcCos:fd----:allow group@:rwxp----------:fd----:allow everyone@:--------------:fd----:allow
In this example, a newly created file inherits the ACL that was specified to be inherited to newly created files.
# cd test1.dir # touch file.1 # ls -V file.1 -rwxrwx---+ 1 root root 0 Jun 23 16:11 file.1 owner@:rwxpdDaARWcCos:------:allow group@:rwxp----------:------:allow everyone@:--------------:------:allow
In this example, a newly created directory inherits both ACEs that control access to this directory as well as ACEs for future propagation to children of the newly created directory.
# mkdir subdir.1 # ls -dV subdir.1 drwxrwx---+ 2 root root 2 Jun 23 16:13 subdir.1 owner@:rwxpdDaARWcCos:fd----:allow group@:rwxp----------:fd----:allow everyone@:--------------:fd----:allow
The fd---- entries are for propagating inheritance and are not considered during access control. In this example, a file is created with a trivial ACL in another directory where inherited ACEs are not present.
# cd /tank/cindy # mkdir test2.dir # cd test2.dir # touch file.2 # ls -V file.2 -rw-r--r-- 1 root root 0 Jun 23 16:15 file.2 owner@:rw-p--aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow
Example 8-12 ACL Inheritance With ACL Inherit Mode Set to Pass Through-X
When aclinherit=passthrough-x is enabled, files are created with the execute (x) permission for owner@, group@, or everyone@, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The following example shows how to inherit the execute permission by setting aclinherit mode to passthrough-x.
# zfs set aclinherit=passthrough-x tank/cindy
The following ACL is set on /tank/cindy/test1.dir to provide executable ACL inheritance for files for owner@.
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow test1.dir # ls -Vd test1.dir drwxrwx---+ 2 root root 2 Jun 23 16:17 test1.dir owner@:rwxpdDaARWcCos:fd----:allow group@:rwxp----------:fd----:allow everyone@:--------------:fd----:allow
A file (file1) is created with requested permissions 0666. The resulting permissions are 0660. The execution permission was not inherited because the creation mode did not request it.
# touch test1.dir/file1 # ls -V test1.dir/file1 -rw-rw----+ 1 root root 0 Jun 23 16:18 test1.dir/file1 owner@:rw-pdDaARWcCos:------:allow group@:rw-p----------:------:allow everyone@:--------------:------:allow
Next, an executable called t is generated by using the cc compiler in the testdir directory.
# cc -o t t.c # ls -V t -rwxrwx---+ 1 root root 7396 Dec 3 15:19 t owner@:rwxpdDaARWcCos:------:allow group@:rwxp----------:------:allow everyone@:--------------:------:allow
The resulting permissions are 0770 because cc requested permissions 0777, which caused the execute permission to be inherited from the owner@, group@, and everyone@ entries.