You can determine how ACLs are inherited or not inherited on files and directories. By default, ACLs are not propagated. If you set a non-trivial ACL on a directory, the ACL is not inherited by any subsequent directory. You must specify the inheritance of an ACL on a file or directory.
The aclinherit property can be set globally on a file system. By default, aclinherit is set to restricted.
For more information, see ACL Inheritance.
Example 7-6 Granting Default ACL InheritanceBy default, ACLs are not propagated through a directory structure.
In the following example, a non-trivial ACE of read_data/write_data/execute is applied for user joe on test.dir.
# chmod A+user:joe:read_data/write_data/execute:allow test.dir # ls -dv test.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:53 test.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
If a test.dir subdirectory is created, the ACE for user joe is not propagated. User joe would only have access to sub.dir if the permissions on sub.dir granted him access as the file owner, group member, or everyone@.
# mkdir test.dir/sub.dir # ls -dv test.dir/sub.dir drwxr-xr-x 2 root root 2 Jul 20 14:54 test.dir/sub.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allowExample 7-7 Granting ACL Inheritance on Files and Directories
This series of examples identify the file and directory ACEs that are applied when the file_inherit flag is set.
In the following example, read_data/write_data permissions are added for files in the test2.dir directory for user joe so that he has read access on any newly created files.
# chmod A+user:joe:read_data/write_data:file_inherit:allow test2.dir # ls -dv test2.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:55 test2.dir 0:user:joe:read_data/write_data:file_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In the following example, user joe's permissions are applied on the newly created test2.dir/file.2 file. The ACL inheritance granted, read_data:file_inherit:allow, means user joe can read the contents of any newly created file.
# touch test2.dir/file.2 # ls -v test2.dir/file.2 -rw-r--r--+ 1 root root 0 Jul 20 14:56 test2.dir/file.2 0:user:joe:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
Because the aclinherit property for this file system is set to the default mode, restricted, user joe does not have write_data permission on file.2 because the group permission of the file does not allow it.
Note the inherit_only permission, which is applied when the file_inherit or dir_inherit flags are set, is used to propagate the ACL through the directory structure. As such, user joe is only granted or denied permission from everyone@ permissions unless he is the file owner or is a member of the file's group owner. For example:
# mkdir test2.dir/subdir.2 # ls -dv test2.dir/subdir.2 drwxr-xr-x+ 2 root root 2 Jul 20 14:57 test2.dir/subdir.2 0:user:joe:list_directory/read_data/add_file/write_data:file_inherit /inherit_only/inherited:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
The following series of examples identify the file and directory ACLs that are applied when both the file_inherit and dir_inherit flags are set.
In the following example, user joe is granted read, write, and execute permissions that are inherited for newly created files and directories.
# chmod A+user:joe:read_data/write_data/execute:file_inherit/dir_inherit:allow test3.dir # ls -dv test3.dir drwxr-xr-x+ 2 root root 2 Jul 20 15:00 test3.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute :file_inherit/dir_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
The inherited text in the output below is an informational message that indicates that the ACE is inherited.
# touch test3.dir/file.3 # ls -v test3.dir/file.3 -rw-r--r--+ 1 root root 0 Jul 20 15:01 test3.dir/file.3 0:user:joe:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
# touch test3.dir/file.3 # ls -v test3.dir/file.3 -rw-r--r--+ 1 root root 0 Jun 23 15:25 test3.dir/file.3 0:user:joe:read_data:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
# mkdir test3.dir/subdir.1 # ls -dv test3.dir/subdir.1 drwxr-xr-x+ 2 root root 2 Jun 23 15:26 test3.dir/subdir.1 0:user:joe:list_directory/read_data/execute:file_inherit/dir_inherit :allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/read_attributes /write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In the above examples, because the permission bits of the parent directory for group@ and everyone@ deny write and execute permissions, user joe is denied write and execute permissions. The default aclinherit property is restricted, which means that write_data and execute permissions are not inherited.
In the following example, user joe is granted read, write, and execute permissions that are inherited for newly created files, but are not propagated to subsequent contents of the directory.
# chmod A+user:joe:read_data/write_data/execute:file_inherit/no_propagate:allow test4.dir # ls -dv test4.dir drwxr--r--+ 2 root root 2 Mar 1 12:11 test4.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute :file_inherit/no_propagate:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow
As the following example illustrates, joe's read_data/write_data/execute permissions are reduced based on the owning group's permissions.
# touch test4.dir/file.4 # ls -v test4.dir/file.4 -rw-r--r--+ 1 root root 0 Jul 20 15:09 test4.dir/file.4 0:user:joe:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allowExample 7-8 ACL Inheritance With ACL Inherit Mode Set to Pass Through
If the aclinherit property on the tank/cindy file system is set to passthrough, then user joe would inherit the ACL applied on test4.dir for the newly created file.5 as follows:
# zfs set aclinherit=passthrough tank/cindy # touch test4.dir/file.5 # ls -v test4.dir/file.5 -rw-r--r--+ 1 root root 0 Jul 20 14:16 test4.dir/file.5 0:user:joe:read_data/write_data/execute:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allowExample 7-9 ACL Inheritance With ACL Inherit Mode Set to Discard
If the aclinherit property on a file system is set to discard, then ACLs can potentially be discarded when the permission bits on a directory change. For example:
# zfs set aclinherit=discard tank/cindy # chmod A+user:joe:read_data/write_data/execute:dir_inherit:allow test5.dir # ls -dv test5.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:18 test5.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute :dir_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
If, at a later time, you decide to tighten the permission bits on a directory, the non-trivial ACL is discarded. For example:
# chmod 744 test5.dir # ls -dv test5.dir drwxr--r-- 2 root root 2 Jul 20 14:18 test5.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allowExample 7-10 ACL Inheritance With ACL Inherit Mode Set to Noallow
In the following example, two non-trivial ACLs with file inheritance are set. One ACL allows read_data permission, and one ACL denies read_data permission. This example also illustrates how you can specify two ACEs in the same chmod command.
# zfs set aclinherit=noallow tank/cindy # chmod A+user:joe:read_data:file_inherit:deny,user:lp:read_data:file_inherit:allow test6.dir # ls -dv test6.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:22 test6.dir 0:user:joe:read_data:file_inherit:deny 1:user:lp:read_data:file_inherit:allow 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 3:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 4:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
As the following example shows, when a new file is created, the ACL that allows read_data permission is discarded.
# touch test6.dir/file.6 # ls -v test6.dir/file.6 -rw-r--r--+ 1 root root 0 Jul 20 14:23 test6.dir/file.6 0:user:joe:read_data:inherited:deny 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow