Fine-grained access on files and directories is managed via Access Control Lists. An ACL
describes what permissions are granted, if any, to specific users or groups. The ZFSSA supports
NFSv4-style ACLs, also accessible over SMB. POSIX draft ACLs (used by NFSv3) are not supported. Some
trivial ACLs can be represented over NFSv3, but making complicated ACL changes may result in
undefined behavior when accessed over NFSv3.
Like root directory access, this property only affects the root directory of the filesystem.
ACLs can be controlled through in-band protocol management, but the BUI provides a way to set the
ACL just for the root directory of the filesystem. There is no way to set the root directory ACL
through the CLI. You can use in-band management tools if the BUI is not an option. Changing this ACL
does not affect existing files and directories in the filesystem. Depending on the ACL inheritance
behavior, these settings may or may not be inherited by newly created files and directories.
However, all ACL entries are inherited when SMB is used to create a file in a directory with a
An ACL is composed of any number of ACEs (access control entries). Each ACE describes a
type/target, a mode, a set of permissions, and inheritance flags. ACEs are applied in order,
starting at the beginning of the ACL, to determine whether a given action should be permitted. For
information on in-band configuration ACLs through data protocols, consult the appropriate client
documentation. The BUI interface for managing ACLs and the effect on the root directory are
Table 12-18 Share - ACL Types
Current owner of the directory. If the owner is changed, this ACE will apply to the new
Current group of the directory. If the group is changed, this ACE will apply to the new
User named by the 'target' field. The user can be specified as a user ID or a name resolvable
by the current name service configuration.
Group named by the 'target' field. The group can be specified as a group ID or a name
resolvable by the current name service configuration.
Table 12-19 Share - ACL Modes
The permissions are explicitly granted to the ACE target.
The permissions are explicitly denied to the ACE target.
Table 12-20 Share - ACL Permissions
Read Data/List Directory
Permission to list the contents of a directory. When inherited by a file, permission to read
the data of the file.
Execute File/Traverse Directory
Permission to traverse (lookup) entries in a directory. When inherited by a file, permission
to execute the file.
Permission to read basic attributes (non-ACLs) of a file. Basic attributes are considered to
be the stat level attributes, and allowing this permission means that the user can execute
ls and stat equivalents.
Read Extended Attributes
Permission to read the extended attributes of a file or do a lookup in the extended attributes
Write Data/Add File
Permission to add a new file to a directory. When inherited by a file, permission to modify a
file's data anywhere in the file's offset range. This include the ability to grow the file or write
to any arbitrary offset.
Append Data/Add Subdirectory
Permission to create a subdirectory within a directory. When inherited by a file, permission
to modify the file's data, but only starting at the end of the file. This permission (when applied
to files) is not currently supported.
Permission to delete a file.
Permission to delete a file within a directory. As of the 2011.1 software release, if the
sticky bit is set, a child file can only be deleted by the file owner.
Permission to change the times associated with a file or directory.
Write Extended Attributes
Permission to create extended attributes or write to the extended attributes directory.
Permission to read the ACL.
Permission to write the ACL or change the basic access modes.
Permission to change the owner.
Apply to Files
Inherit to all newly created files in a directory.
Apply to Directories
Inherit to all newly created directories in a directory.
Do not apply to self
The current ACE is not applied to the current directory, but does apply to children. This flag
requires one of "Apply to Files" or "Apply to Directories" to be set.
Do not apply past children
The current ACE should only be inherited one level of the tree, to immediate children. This
flag requires one of "Apply to Files" or "Apply to Directories" to be set.
When the option to use Windows default permissions is used at share creation time, an ACL with
the following three entries is created for the share's root directory: