1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
  3. Oracle Solaris ACL Model
  4. ACL Properties

ACL Properties

The ZFS file system includes the ACL properties to determine the specific behavior of ACL inheritance and ACL interaction with chmod operations. These properties are:

  • aclinherit – Determine the behavior of ACL inheritance. Values include the following:

    • restricted – For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited. This is the default mode.

    • discard – For new objects, no ACL entries are inherited when a file or directory is created. The ACL on the file or directory is equal to the permission mode of the file or directory.

    • noallow – For new objects, only inheritable ACL entries that have an access type of deny are inherited.

    • passthrough – When a property value is set to passthrough, files are created with a mode determined by the inheritable ACEs. If no inheritable ACEs exist that affect the mode, then the mode is set in accordance to the requested mode from the application.

    • passthrough-x – Has the same semantics as passthrough except that files are created with the execute (x) permission only if the execute permission is set in file creation mode and in an inheritable ACE that affects the mode.

    • passthrough-mode-preserve – A file system has the same semantics as passthrough except that the owner@, group@, and everyone@ ACEs are overridden by values from the mode that is requested by the application when creating files and directories.

    For more information about the aclinherit modes, see Modifying ACL Inheritance With the ACL Inherit Mode.

  • aclmode – Modifies ACL behavior when a file is initially created or controls how an ACL is modified during a chmod operation. Values include the following:

    • discard – Deletes all ACL entries that do not represent the mode of the file. This is the default mode.

    • mask – Reduces user or group permissions. The permissions are reduced such that they are no greater than the group permission bits unless it is a user entry that has the same UID as the owner of the file or directory. In this case, the ACL permissions are reduced so that they are no greater than owner permission bits. The mask value also preserves the ACL across mode changes, provided that an explicit ACL set operation has not been performed.

    • passthrough – Indicates that no changes are made to the ACL other than generating the necessary ACL entries to represent the new mode of the file or directory.

    For more information about using the aclmode property, see ACL Properties and Modified ACL Permissions.