ACL Inheritance Behavior
When a new file or directory is created, it is possible to inherit existing ACL settings
from the parent directory. This property controls how this inheritance works. These property
settings usually only affect ACL entries that are flagged as inheritable - other entries are
not propagated regardless of this property setting. However, all trivial ACL entries are
inheritable when used with SMB. A trivial ACL represents the traditional UNIX
owner/group/other entries. To edit the ACL inheritance behavior, see
Editing a Project BUI, CLI.
Table 123 ACL Inheritance Behavior Values
|
|
|
Do not inherit entries
|
discard
|
No ACL entries are inherited. The file or directory is created according to
the client and protocol being used.
|
Only inherit deny entries
|
noallow
|
Only inheritable ACL entries specifying "deny" permissions are
inherited.
|
Inherit all but "write ACL" and "change owner"
|
restricted
|
Removes the "write_acl" and "write_owner" permissions when the ACL entry is
inherited, but otherwise leaves inheritable ACL entries untouched. This is the
default.
|
Inherit all entries
|
passthrough
|
All inheritable ACL entries are inherited. The "passthrough" mode is typically
used to cause all "data" files to be created with an identical mode in a directory
tree. An administrator sets up ACL inheritance so that all files are created with
a mode, such as 0664 or 0666.
|
Inherit all but "execute" when not specified
|
passthrough-x
|
Same as 'passthrough', except that the owner, group, and everyone ACL entries
inherit the execute permission only if the file creation mode also requests the
execute bit. The "passthrough" setting works as expected for data files, but you
might want to optionally include the execute bit from the file creation mode into
the inherited ACL. One example is an output file that is generated from tools,
such as "cc" or "gcc". If the inherited ACL doesn't include the execute bit, then
the output executable from the compiler won't be executable until you use chmod(1)
to change the file's permissions.
|
Inherit all, but preserve mode from client
|
passthrough-mode-preserve
|
Inheritable ACL entries are inherited, while preserving the creation mode
specified by the application. This preserves the inheritance bits so SMB creates
ACLs that interoperate well with shares accessed over NFS and SMB simultaneously.
This property setting is only available after applying the deferred update for ACL
Passthrough with Mode Preservation. For more information, see Deferred Updates in Oracle
ZFS Storage Appliance Customer Service Manual.
|
|
When using SMB to create a file in a directory with a trivial ACL, all ACL entries are
inherited. As a result, the following behavior occurs:
-
Inheritance bits display differently when viewed in SMB or NFS. When viewing the ACL
directory in SMB, inheritance bits are displayed. In NFS, inheritance bits are not
displayed.
-
When a file is created in a directory using SMB, its ACL entries are shown as
inherited; however, when viewed through NFS, the directory has no inheritable ACL
entries.
-
If the ACL is changed so that it is no longer trivial, e.g., by adding an access
control entry (ACE), this behavior does not occur.
-
If the ACL is modified using SMB, the resulting ACL will have the previously
synthetic inheritance bits turned into real inheritance bits.
Related Topics