You can use the chmod command to modify ACLs on ZFS files. The following chmod syntax for modifying ACLs uses acl-specification to identify the format of the ACL. For a description of acl-specification, see Syntax Descriptions for Setting ACLs.
Adding ACL entries
Adding an ACL entry for a user
% chmod A+acl-specification filename
Adding an ACL entry by index-ID
% chmod Aindex-ID+acl-specification filename
This syntax inserts the new ACL entry at the specified index-ID location.
Replacing an ACL entry
% chmod A=acl-specification filename
% chmod Aindex-ID=acl-specification filename
Removing ACL entries
Removing an ACL entry by index-ID
% chmod Aindex-ID- filename
Removing an ACL entry by user
% chmod A-acl-specification filename
Removing all non-trivial ACEs from a file
% chmod A- filename
Verbose ACL information is displayed by using the ls –v command. For example:
# ls -v file.1 -rw-r--r-- 1 root root 206695 Jul 20 13:43 file.1 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
For information about using the compact ACL format, see Setting and Displaying ACLs on ZFS Files in Compact Format.
Example 7-1 Modifying Trivial ACLs on ZFS FilesThis section provides examples of setting and displaying trivial ACLs, which means only the traditional UNIX entries, user, group, and other are included in the ACL.
In the following example, a trivial ACL exists on file.1:
# ls -v file.1 -rw-r--r-- 1 root root 206695 Jul 20 13:43 file.1 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
In the following example, write_data permissions are granted for group@.
# chmod A1=group@:read_data/write_data:allow file.1 # ls -v file.1 -rw-rw-r-- 1 root root 206695 Jul 20 13:43 file.1 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/write_data:allow 2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
In the following example, permissions on file.1 are set back to 644.
# chmod 644 file.1 # ls -v file.1 -rw-r--r-- 1 root root 206695 Jul 20 13:43 file.1 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allowExample 7-2 Setting Non-Trivial ACLs on ZFS Files
This section provides examples of setting and displaying non-trivial ACLs.
In the following example, read_data/execute permissions are added for the user joe on the test.dir directory.
# chmod A+user:joe:read_data/execute:allow test.dir # ls -dv test.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:23 test.dir 0:user:joe:list_directory/read_data/execute:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In the following example, read_data/execute permissions are removed for user joe.
# chmod A0- test.dir # ls -dv test.dir drwxr-xr-x 2 root root 2 Jul 20 14:23 test.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allowExample 7-3 ACL Interaction With Permissions on ZFS Files
The following ACL examples illustrate the interaction between setting ACLs and then changing the file or directory's permission bits.
In the following example, a trivial ACL exists on file.2:
# ls -v file.2 -rw-r--r-- 1 root root 2693 Jul 20 14:26 file.2 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
In the following example, ACL allow permissions are removed from everyone@.
# chmod A2- file.2 # ls -v file.2 -rw-r----- 1 root root 2693 Jul 20 14:26 file.2 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
In this output, the file's permission bits are reset from 644 to 640. Read permissions for everyone@ have been effectively removed from the file's permissions bits when the ACL allow permissions are removed for everyone@.
In the following example, the existing ACL is replaced with read_data/write_data permissions for everyone@.
# chmod A=everyone@:read_data/write_data:allow file.3 # ls -v file.3 -rw-rw-rw- 1 root root 2440 Jul 20 14:28 file.3 0:everyone@:read_data/write_data:allow
In this output, the chmod syntax effectively replaces the existing ACL with read_data/write_data:allow permissions to read/write permissions for owner, group, and everyone@. In this model, everyone@ specifies access to any user or group. Since no owner@ or group@ ACL entry exists to override the permissions for owner and group, the permission bits are set to 666.
In the following example, the existing ACL is replaced with read permissions for user joe.
# chmod A=user:joe:read_data:allow file.3 # ls -v file.3 ----------+ 1 root root 2440 Jul 20 14:28 file.3 0:user:joe:read_data:allow
In this output, the file permissions are computed to be 000 because no ACL entries exist for owner@, group@, or everyone@, which represent the traditional permission components of a file. The owner of the file can resolve this problem by resetting the permissions (and the ACL) as follows:
# chmod 655 file.3 # ls -v file.3 -rw-r-xr-x 1 root root 2440 Jul 20 14:28 file.3 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/execute/read_attributes/read_acl /synchronize:allow 3:everyone@:read_data/read_xattr/execute/read_attributes/read_acl /synchronize:allowExample 7-4 Restoring Trivial ACLs on ZFS Files
You can use the chmod command to remove all non-trivial ACLs on a file or directory.
In the following example, two non-trivial ACEs exist on test5.dir.
# ls -dv test5.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:32 test5.dir 0:user:lp:read_data:file_inherit:deny 1:user:joe:read_data:file_inherit:deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 3:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 4:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In the following example, the non-trivial ACLs for users joe and lp are removed. The remaining ACL contains the default values for owner@, group@, and everyone@.
# chmod A- test5.dir # ls -dv test5.dir drwxr-xr-x 2 root root 2 Jul 20 14:32 test5.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allowExample 7-5 Applying an ACL Set to ZFS Files
ACL sets are available so that you do not have to apply ACL permissions separately. For a description of ACL sets, see ZFS ACL Sets.
For example, you can apply the read_set as follows:
# chmod A+user:bob:read_set:allow file.1 # ls -v file.1 -r--r--r--+ 1 root root 206695 Jul 20 13:43 file.1 0:user:bob:read_data/read_xattr/read_attributes/read_acl:allow 1:owner@:read_data/read_xattr/write_xattr/read_attributes /write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
You can apply the write_set and read_set as follows:
# chmod A+user:bob:read_set/write_set:allow file.2 # ls -v file.2 -rw-r--r--+ 1 root root 2693 Jul 20 14:26 file.2 0:user:bob:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow