可以确定如何在文件和目录中继承或不继承 ACL。缺省情况下,不会传播 ACL。如果在某个目录上设置了非普通 ACL,则任何后续目录都不会继承该 ACL。必须对文件或目录指定 ACL 的继承。
可以在文件系统中全局设置 aclinherit 属性。缺省情况下,aclinherit 设置为 restricted。
有关更多信息,请参见ACL 继承。
示例 7-6 授予缺省 ACL 继承缺省情况下,ACL 不通过目录结构传播。
在以下示例中,为用户 joe 应用了针对 test.dir 的非普通 ACE read_data/write_data/execute。
# chmod A+user:joe:read_data/write_data/execute:allow test.dir # ls -dv test.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:53 test.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
如果创建了 test.dir 子目录,则不会传播用户 joe 的 ACE。如果对 sub.dir 的权限授予用户 joe 作为文件所有者、组成员或 everyone@ 进行访问的权限,则该用户只能访问 sub.dir。
# mkdir test.dir/sub.dir # ls -dv test.dir/sub.dir drwxr-xr-x 2 root root 2 Jul 20 14:54 test.dir/sub.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow示例 7-7 对文件和目录授予 ACL 继承
以下一系列示例标识了设置 file_inherit 标志时应用的文件和目录的 ACE。
在以下示例中,为用户 joe 添加了对 test2.dir 目录中的文件的 read_data/write_data 权限,以便该用户对任何新创建的文件都具有读取访问权限。
# chmod A+user:joe:read_data/write_data:file_inherit:allow test2.dir # ls -dv test2.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:55 test2.dir 0:user:joe:read_data/write_data:file_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
在以下示例中,用户 joe 的权限应用于新创建的 test2.dir/file.2 文件。授予 ACL 继承 read_data:file_inherit:allow 意味着用户 joe 可以读取任何新创建的文件的内容。
# touch test2.dir/file.2 # ls -v test2.dir/file.2 -rw-r--r--+ 1 root root 0 Jul 20 14:56 test2.dir/file.2 0:user:joe:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
由于此文件系统的 aclinherit 属性设置为缺省模式 restricted,因此用户 joe 对 file.2 不具有 write_data 权限,这是因为该文件的组权限不允许使用此权限。
请注意,设置 file_inherit 或 dir_inherit 标志时所应用的 inherit_only 权限用来通过目录结构传播 ACL。因此,除非用户 joe 是文件的所有者或文件所属组的成员,否则将仅授予或拒绝该用户 everyone@ 权限中的权限。例如:
# mkdir test2.dir/subdir.2 # ls -dv test2.dir/subdir.2 drwxr-xr-x+ 2 root root 2 Jul 20 14:57 test2.dir/subdir.2 0:user:joe:list_directory/read_data/add_file/write_data:file_inherit /inherit_only/inherited:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
以下一系列示例标识了同时设置 file_inherit 和 dir_inherit 标志时所应用的文件和目录的 ACL。
在以下示例中,向用户 joe 授予了继承用于新创建的文件和目录的读取、写入和执行权限。
# chmod A+user:joe:read_data/write_data/execute:file_inherit/dir_inherit:allow test3.dir # ls -dv test3.dir drwxr-xr-x+ 2 root root 2 Jul 20 15:00 test3.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute :file_inherit/dir_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
下面输出中的 inherited 文本是信息性消息,指示该 ACE 是继承的。
# touch test3.dir/file.3 # ls -v test3.dir/file.3 -rw-r--r--+ 1 root root 0 Jul 20 15:01 test3.dir/file.3 0:user:joe:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
# touch test3.dir/file.3 # ls -v test3.dir/file.3 -rw-r--r--+ 1 root root 0 Jun 23 15:25 test3.dir/file.3 0:user:joe:read_data:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
# mkdir test3.dir/subdir.1 # ls -dv test3.dir/subdir.1 drwxr-xr-x+ 2 root root 2 Jun 23 15:26 test3.dir/subdir.1 0:user:joe:list_directory/read_data/execute:file_inherit/dir_inherit :allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/read_attributes /write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
在上面的示例中,由于 group@ 和 everyone@ 的父目录的权限位拒绝写入和执行权限,因此拒绝了用户 joe 的写入和执行权限。缺省的 aclinherit 属性为 restricted,这意味着未继承 write_data 和 execute 权限。
在以下示例中,向用户 joe 授予了继承用于新创建的文件的读取、写入和执行权限,但未将这些权限传播给该目录的后续内容。
# chmod A+user:joe:read_data/write_data/execute:file_inherit/no_propagate:allow test4.dir # ls -dv test4.dir drwxr--r--+ 2 root root 2 Mar 1 12:11 test4.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute :file_inherit/no_propagate:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow
如以下示例所示,基于所属组的权限降低了用户 joe 的 read_data/write_data/execute 权限。
# touch test4.dir/file.4 # ls -v test4.dir/file.4 -rw-r--r--+ 1 root root 0 Jul 20 15:09 test4.dir/file.4 0:user:joe:read_data:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow示例 7-8 ACL 继承模式设置为 Passthrough 时的 ACL 继承
如果 tank/cindy 文件系统的 aclinherit 属性设置为 passthrough,则对于新创建的 file.5,用户 joe 将继承应用于 test4.dir 的 ACL,如下所示:
# zfs set aclinherit=passthrough tank/cindy # touch test4.dir/file.5 # ls -v test4.dir/file.5 -rw-r--r--+ 1 root root 0 Jul 20 14:16 test4.dir/file.5 0:user:joe:read_data/write_data/execute:inherited:allow 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow示例 7-9 ACL 继承模式设置为 Discard 时的 ACL 继承
如果将文件系统的 aclinherit 属性设置为 discard,则目录的权限位更改时,可能会废弃 ACL。例如:
# zfs set aclinherit=discard tank/cindy # chmod A+user:joe:read_data/write_data/execute:dir_inherit:allow test5.dir # ls -dv test5.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:18 test5.dir 0:user:joe:list_directory/read_data/add_file/write_data/execute :dir_inherit:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
如果以后决定要加强目录的权限位,则会废弃非普通 ACL。例如:
# chmod 744 test5.dir # ls -dv test5.dir drwxr--r-- 2 root root 2 Jul 20 14:18 test5.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow示例 7-10 ACL 继承模式设置为 Noallow 时的 ACL 继承
在以下示例中,设置了两个包含文件继承的非普通 ACL。一个 ACL 允许 read_data 权限,一个 ACL 拒绝 read_data 权限。此示例还说明了如何可在同一 chmod 命令中指定两个 ACE。
# zfs set aclinherit=noallow tank/cindy # chmod A+user:joe:read_data:file_inherit:deny,user:lp:read_data:file_inherit:allow test6.dir # ls -dv test6.dir drwxr-xr-x+ 2 root root 2 Jul 20 14:22 test6.dir 0:user:joe:read_data:file_inherit:deny 1:user:lp:read_data:file_inherit:allow 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 3:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 4:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
如以下示例所示,创建新文件时,将废弃允许 read_data 权限的 ACL。
# touch test6.dir/file.6 # ls -v test6.dir/file.6 -rw-r--r--+ 1 root root 0 Jul 20 14:23 test6.dir/file.6 0:user:joe:read_data:inherited:deny 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow