Access Control List Inheritance Issues

Access control list (ACL) behavior differs between Windows systems and ZFS file systems on Oracle Solaris systems. You might experience Windows ACL inheritance problems because of the access control entry (ACE) ordering used by the default ZFS ACL.

The default ZFS ACL is designed to comply with POSIX, which results in the interleaving of allow and deny ACEs. Windows expects all deny ACEs to precede all allow ACEs.

You can override the default ZFS behavior by changing the ACL on the root directory to provide the equivalent of Everyone:FullControl as follows:

$ chmod 777 /pool-name
$ chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/dataset

For information about the chmod options, see the chmod(1) man page.

You can verify the ACL by viewing it on Windows or by running the following command on an Oracle Solaris system:

$ ls -V -d /pool/dataset

You can apply this ACL recursively to all subdirectories and files for existing file systems from Windows or from the Oracle Solaris OS.

If you apply the ACL when the file system is first created, the ACL will be propagated according to the normal inheritance rules.

If a directory has a default ZFS ACL, when a file or folder is created in this directory from Windows, it has two ACEs: one for the owner and one for SYSTEM. To change this behavior, update the root directory's ACL by running the chmod commands.