The aclmode property that determines how the ACL permissions on a file are modified during a chmod operation is reintroduced in this release. The aclmode values are discard, mask, and passthrough. The discard default value is the most restrictive, and the passthrough value is the least restrictive.
Example 9-3 ACL Interaction With chmod Operations on ZFS FilesThe following examples illustrate how specific aclmode and aclinherit property values influence the interaction of existing ACLs with a chmod operation that either reduces or expands any existing ACL permissions to be consistent with the ownership of a group.
In this example, the aclmode property is set to mask and the aclinherit property is set to restricted. The ACL permissions in this example are displayed in compact mode, which more easily illustrates changing permissions.
The original file and group ownership and ACL permissions are as follows:
# zfs set aclmode=mask pond/whoville # zfs set aclinherit=restricted pond/whoville # ls -lV file.1 -rwxrwx---+ 1 root root 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:rw-p--aARWc---:-------:allow group:staff:rw-p--aARWc---:-------:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--aARWc--s:-------:allow everyone@:------a-R-c--s:-------:allow
A chown operation changes the file ownership on file.1 and the output is seen by the owning user, amy. For example:
# chown amy:staff file.1 # su - amy $ ls -lV file.1 -rwxrwx---+ 1 amy staff 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:rw-p--aARWc---:-------:allow group:staff:rw-p--aARWc---:-------:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--aARWc--s:-------:allow everyone@:------a-R-c--s:-------:allow
The following chmod operation changes the permissions to a more restrictive mode. In this example, the modified sysadmin group's and staff group's ACL permissions do not exceed the owning group's permissions.
$ chmod 640 file.1 $ ls -lV file.1 -rw-r-----+ 1 amy staff 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:r-----a-R-c---:-------:allow group:staff:r-----a-R-c---:-------:allow owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The following chmod operation changes the permissions to a less restrictive mode. In this example, the modified sysadmin group's and staff group's ACL permissions are restored to allow the same permissions as the owning group.
$ chmod 770 file.1 $ ls -lV file.1 -rwxrwx---+ 1 amy staff 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:rw-p--aARWc---:-------:allow group:staff:rw-p--aARWc---:-------:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--aARWc--s:-------:allow everyone@:------a-R-c--s:-------:allow