1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
  3. Setting ACL Inheritance on ZFS Files
  4. Modifying ACL Inheritance With the ACL Inherit Mode
  5. ACL Inherit passthrough-mode-preserve Mode

ACL Inherit passthrough-mode-preserve Mode

The following section includes examples of using the aclinherit=passthrough-mode-preserve property setting.

The following parent directory has the following ACL and the aclinherit=passthrough-mode-preserve property setting. Note that this setting configures an inheritance that prevents an SMB server from creating a two-member ACL, which affects NFS clients negatively. 

drwxrwxrwx+  4 nobody   other          4 Oct 15 13:49 .
user:marks:rwxp--aAR-----:fd-----:allow
owner@:rwxp-DaARWcCos:fd-----:allow
group@:rwxp-DaARWc--s:fd-----:allow
everyone@:rwxp-DaARWc--s:fd-----:allow

Directly creating an SMB directory results in the directory having the following ACL:

# ls -dV smb.dir
drwxrwxrwx+  2 marks    staff          2 Oct 15 14:03 smb.dir
user:marks:rwxp--aAR-----:fd----I:allow
owner@:rwxp-DaARWcCos:fd----I:allow
group@:rwxp-DaARWc--s:fd----I:allow
everyone@:rwxp-DaARWc--s:fd----I:allow

In the SMB case, the passthrough-mode-preserve property setting configures a pure inheritance of the ACEs and no longer creates the two-member ACL shown previously.

Using NFS to create the dir2 directory results in the directory having the following ACL: 

# umask
0022
# mkdir dir2
# ls -dV dir2
drwxr-xr-x+  2 root     root           2 Oct 15 13:49 dir2
user:marks:r-x---a-R-----:fd----I:allow
owner@:rwxp-DaARWcCos:fd----I:allow
group@:r-x---a-R-c--s:fd----I:allow
everyone@:r-x---a-R-c--s:fd----I:allow

Note that a umask of 0022 results in the mkdir command creating the directory with a mode of 0755.

The owner@, group@, and everyone@ entry values are overridden by the mode values specified by the mkdir request.

If you set the aclmode property to mask, running the chmod 700 dir2 command creates the following ACL: 

# chmod 700 dir2
# ls -dV dir2
drwx------+  2 root     root           2 Dec  1 13:51 dir2
user:marks:------a-R-----:fd----I:allow
owner@:rwxp-DaARWcCos:fd----I:allow
group@:------a-R-c--s:fd----I:allow
everyone@:------a-R-c--s:fd----I:allow

In this case, the permissions for owner@, group@, and everyone@ are replaced to adjust the ACL to mode 0700. The marks entry is updated in accordance with the existing mask semantics. All of the inheritance bits are preserved.

Setting the aclmode property to discard results in the following ACL: 

# chmod 755 dir2
# ls -dV dir2
drwxr-xr-x   2 root     root           2 Dec  1 13:51 dir2
owner@:rwxp-DaARWcCos:fd-----:allow
group@:r-x---a-R-c--s:fd-----:allow
everyone@:r-x---a-R-c--s:fd-----:allow

This case preserves the inheritance bits again. This behavior occurs only when you set the aclinherit property to passthrough-mode-preserve.

The following examples set the aclinherit property value to passthrough, which results in different behavior from inheriting ACLs and results in a different effect from the chmod command. 

# mkdir dir3
# ls -dV dir3
drwxrwxrwx+  2 root     root           2 Dec  1 15:46 dir3
user:marks:rwxp--aAR-----:fd----I:allow
owner@:rwxp-DaARWcCos:fd----I:allow
group@:rwxp-DaARWc--s:fd----I:allow
everyone@:rwxp-DaARWc--s:fd----I:allow

The previous mkdir dir3 command inherits all of the ACEs directly from the parent directory and overrides the creation-mode passed to the mkdir command. Also, this command ignores the user's umask. Use this setting when you want to force the creation mode of every file and directory to be the same value. Note that the umask and creation mode are ignored only if one or more inheritable owner@, group@, or everyone@ ACEs exist.

Now, using the chmod 0700 dir3 command results in the following ACL when the aclmode property is set to mask: 

drwxr-xr-x+  2 root     root           2 Dec  1 15:46 dir3
user:marks:r-x---a-R-----:fd----I:allow
owner@:rwxp-DaARWcCos:fdi---I:allow
group@:rwxp-DaARWc--s:fdi---I:allow
everyone@:rwxp-DaARWc--s:fdi---I:allow
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

This chmod commands splits the owner@, group@, and everyone@ ACEs into two sets of entries. Note that the fdi-marked entries apply to inheritance only and are not considered for access-control decisions. These entries exist for future propagation. The second set of owner@, group@, and everyone@ ACEs reflects the mode that you requested with the chmod command.

Setting the aclmode property value to discard results in the following ACL: 

# ls -dV dir3
drwxr-xr-x   2 root     root           2 Dec  1 15:46 dir3
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

This setting replaces the original ACL with a new one that corresponds to the new file mode.