You can determine how ACLs are inherited on files and directories.
The aclinherit property can be set globally on a file system. By default, aclinherit is set to restricted.
For more information, see ACL Inheritance Flags.
This section identifies the file ACEs that are applied when the file_inherit flag is set.
In the following example, an administrator who is assigned the Object Access Management rights profile adds read_data/write_data permissions and enables them to be inherited for user alice in the test2.dir directory.
$ pfbash ; chmod A+user:alice:read_data/write_data:file_inherit:allow test2.dir $ ls -dv test2.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:55 test2.dir 0:user:alice:read_data/write_data:file_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow
In the following example, user alice's permissions are applied on the newly created test2.dir/file.2 file.
$ touch test2.dir/file.2 $ ls -v test2.dir/file.2 -rw-r--r--+ 1 root root 0 Jul 20 14:56 test2.dir/file.2 0:user:alice:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
Because she is granted read_data:file_inherit:allow, she can read the contents of any newly created file.
Because the group permission on the file.2 does not include write_data permission, alice also does not have this permission. The aclinherit property for this file system in default mode, restricted, which prevents the user in the ACL from having more permissions than the group permissions.
The inherit_only permission is applied when the file_inherit or dir_inherit flags are set. inherit_only propagates the ACL through the directory structure. As such, user alice is granted or denied permission from everyone@ permissions only if she is the file owner or is a member of the file's group owner. For example:
$ mkdir test2.dir/subdir.2 $ ls -dv test2.dir/subdir.2 drwxr-xr-x+ 2 root root 2 Jul 20 14:57 test2.dir/subdir.2 0:user:alice:list_directory/read_data/add_file/write_data:file_inherit /inherit_only/inherited:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
This section provides examples that identify the file and directory ACLs that are applied when both the file_inherit and dir_inherit flags are set. The examples also show the interaction between ACLs and permission bits when the default aclinherit property, restricted, is in effect.
Example 15 Setting and Viewing Inheritable ACLsIn this example, user alice is granted read, write, and execute permissions that are inherited for newly created files and directories.
$ pfexec chmod A+user:alice:read_data/write_data/execute:file_inherit/dir_inherit:allow test3.dir $ ls -dv test3.dir drwxr-xr-x+ 2 root root 2 Jul 20 15:00 test3.dir 0:user:alice:list_directory/read_data/add_file/write_data/execute :file_inherit/dir_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
The inherited text in the output for index number 0 is informational.
$ touch test3.dir/file.3 $ ls -v test3.dir/file.3 -rw-r--r--+ 1 root root 0 Jul 20 15:01 test3.dir/file.3 0:user:alice:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allowExample 16 Viewing Effect of aclinherit restricted on file_inherit:allow ACLs
In these examples, because the permission bits of the parent directory for group@ and everyone@ deny write and execute permissions, user alice is denied write and execute permissions despite the chmod command explicitly assigning her these permissions. The default aclinherit property is restricted, which prevents write_data and execute from being inherited.
In this example, user alice is granted read, write, and execute permissions that are inherited for newly created files, but are not propagated to subsequent contents of the directory.
$ pfexec chmod A+user:alice:read_data/write_data/execute:file_inherit/no_propagate:allow test4.dir $ ls -dv test4.dir drwxr--r--+ 2 root root 2 Mar 1 12:11 test4.dir 0:user:alice:list_directory/read_data/add_file/write_data/execute :file_inherit/no_propagate:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl/synchronize:allow
As a result of the default ACL inheritance value, restricted, the write_data and execute permissions are removed for alice in file.4 because her permissions cannot be greater than the group's permissions for files in that directory.
$ touch test4.dir/file.4 $ ls -v test4.dir/file.4 -rw-r--r--+ 1 root root 0 Jul 20 15:09 test4.dir/file.4 0:user:alice:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
This section describes the aclinherit property values.
Example 17 ACL Viewing the Effect of discard on ACL InheritanceIf the aclinherit property on a file system is set to discard, then ACLs can potentially be discarded when the permission bits on a directory change. For example:
$ pfbash ; zfs set aclinherit=discard system1/cindy $ chmod A+user:alice:read_data/write_data/execute:dir_inherit:allow test5.dir $ ls -dv test5.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:18 test5.dir 0:user:alice:list_directory/read_data/add_file/write_data/execute:dir_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow
If, at a later time, you decide to tighten the permission bits on a directory, the non-trivial ACL is discarded. For example:
$ pfexec chmod 744 test5.dir $ ls -dv test5.dir drwxr--r-- 2 root root 2 Jul 20 14:18 test5.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 1:group@:list_directory/read_data/read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl/synchronize:allowExample 18 Viewing the Effect of noallow on ACL Inheritance
In the following example, two non-trivial ACLs with file inheritance are set. One ACL allows read_data permission, and one ACL denies read_data permission. This example also illustrates how you can specify two ACEs in the same chmod command.
$ pfbash ; zfs set aclinherit=noallow system1/jdoe $ chmod A+user:alice:read_data:file_inherit:deny,user:lp:read_data:file_inherit:allow test6.dir $ ls -dv test6.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:22 test6.dir 0:user:alice:read_data:file_inherit:deny 1:user:lp:read_data:file_inherit:allow 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 3:group@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow 4:everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow
When a new file is created, the ACL that allows read_data permission is discarded.
$ touch test6.dir/file.6 $ ls -v test6.dir/file.6 -rw-r--r--+ 1 root root 0 Jul 20 14:23 test6.dir/file.6 0:user:alice:read_data:inherited:deny 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
A file system that has the aclinherit property set to passthrough inherits all inheritable ACL entries without any modifications made to the ACL entries when they are inherited. Files are created with a permission mode that is determined by the inheritable ACEs. If no inheritable ACEs exist that affect the permission mode, then the permission mode is set in accordance to the requested mode from the application.
Example 19 ACL Inheritance With ACL Inherit Mode Set to passthrough in Verbose ModeIf the aclinherit property on the system1/cindy file system is set to passthrough, then user alice would inherit the ACL applied on test4.dir for the newly created file.5 as follows:
$ pfexec zfs set aclinherit=passthrough system1/cindy $ touch test4.dir/file.5 $ ls -v test4.dir/file.5 -rw-r--r--+ 1 root root 0 Jul 20 14:16 test4.dir/file.5 0:user:alice:read_data/write_data/execute:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allowExample 20 ACL Inheritance With ACL Inherit Mode Set to passthrough in Compact Mode
The following examples use compact ACL syntax to show how to inherit permission bits by setting aclinherit mode to passthrough.
In this example, an ACL is set on test1.dir to force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly created files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry.
$ pfbash ; zfs set aclinherit=passthrough system1/cindy $ pwd /system1/cindy $ mkdir test1.dir
$ chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow, everyone@::fd:allow test1.dir $ ls -Vd test1.dir drwxrwx---+ 2 root root 2 Jul 20 14:42 test1.dir owner@:rwxpdDaARWcCos:fd-----:allow group@:rwxp----------:fd-----:allow everyone@:--------------:fd-----:allow
In this example, a newly created file inherits the ACL that was specified to be inherited to newly created files.
$ cd test1.dir $ touch file.1 $ ls -V file.1 -rwxrwx---+ 1 root root 0 Jul 20 14:44 file.1 owner@:rwxpdDaARWcCos:------I:allow group@:rwxp----------:------I:allow everyone@:--------------:------I:allow
In this example, a newly created directory inherits both ACEs that control access to this directory as well as ACEs for future propagation to children of the newly created directory.
$ mkdir subdir.1 $ ls -dV subdir.1 drwxrwx---+ 2 root root 2 Jul 20 14:45 subdir.1 owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxp----------:fd----I:allow everyone@:--------------:fd----I:allow
The fd----I entries are for propagating inheritance and are not considered during access control.
In the following example, a file is created with a trivial ACL in another directory where inherited ACEs are not present.
$ cd /system1/cindy $ mkdir test2.dir $ cd test2.dir $ touch file.2 $ ls -V file.2 -rw-r--r-- 1 root root 0 Jul 20 14:48 file.2 owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:r-----a-R-c--s:-------:allow
When aclinherit=passthrough-x is enabled, files are created with the execute (x) permission for owner@, group@, or everyone@, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The following example shows how to inherit the execute permission by setting the aclinherit mode to passthrough-x.
$ pfexec zfs set aclinherit=passthrough-x system1/cindy
The following ACL is set on /system1/cindy/test1.dir to provide executable ACL inheritance for files for owner@.
$ pfexec chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow, everyone@::fd:allow test1.dir $ ls -Vd test1.dir drwxrwx---+ 2 root root 2 Jul 20 14:50 test1.dir owner@:rwxpdDaARWcCos:fd-----:allow group@:rwxp----------:fd-----:allow everyone@:--------------:fd-----:allow
A file (file1) is created with requested permissions 0666. The resulting permissions are 0660. The execution permission was not inherited because the creation mode did not request it.
$ touch test1.dir/file1 $ ls -V test1.dir/file1 -rw-rw----+ 1 root root 0 Jul 20 14:52 test1.dir/file1 owner@:rw-pdDaARWcCos:------I:allow group@:rw-p----------:------I:allow everyone@:--------------:------I:allow
Next, an executable called t is generated by using the cc compiler in the testdir directory.
$ cc -o t t.c $ ls -V t -rwxrwx---+ 1 root root 7396 Dec 3 15:19 t owner@:rwxpdDaARWcCos:------I:allow group@:rwxp----------:------I:allow everyone@:--------------:------I:allow
The resulting permissions are 0770 because cc requested permissions 0777, which caused the execute permission to be inherited from the owner@, group@, and everyone@ entries.