1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
  3. Setting ACLs on ZFS Files
  4. Command Syntax for Setting ACLs

Command Syntax for Setting ACLs

To set or modify ACLs, use the chmod command. The command syntax resembles the syntax for setting permission bits on files, except that you specify A before typing the operator (+, =, or -).

  • Command syntax for trivial ACLs

    chmod [options] A[index]{+|=}owner@ |group@ |everyone@: \
access-permissions/...[:inheritance-flags]:deny | allow \
[:successful_access | failed_access:audit] file
    chmod [options] A-owner@, group@, everyone@: \
access-permissions/...[:inheritance-flags]:deny | allow \
[:successful_access | failed_access:audit] file 
    chmod [options] A[index]- file

  • Command syntax for non-trivial ACLs

    chmod [options] A-user|group:name: \
access-permissions/...[:inheritance-flags]:deny | allow \
[:successful_access | failed_access:audit] file ...
    chmod [options] A[index]- file

The chmod command uses the following operators:

  • A+ adds an ACL entry.

  • A= replaces an ACL entry.

    To replace an entire ACL for a file, use this operator without specifying an index ID. In the following example, ACL entries for file.1 are removed and replaced with the single entry for everyone@. 

    $ chmod A=everyone@:read_data:allow file.1

  • A- removes an ACL entry.

    To universally remove all non-trivial ACL entries for a file, use this operator and specify the file name without listing each entry to be removed.

    $ chmod A- filename

    Use this command syntax to restore a trivial ACL to the file. After you issue the command, only the entries for owner@, group@, and everyone@ that comprise a trivial ACL remain.

Caution:

Be careful with modifying existing ACLs. Using the operators without an index has a different effect from using them with an index. For example, chmod A= replaces an entire ACL, while chmod A3= replaces only the existing entry that has index number 3.

Permissions and inheritance flags are represented by unique letters listed in ACL Access Privileges and ACL Inheritance Flags. When you set ZFS ACLs, you can either use the letters that correspond to those permissions (compact mode) or type the permissions in full (verbose mode).

In this example, both commands grant read and execute permissions to user Alice on file.1:

  • chmod A+user:alice:rx:allow file.1

  • chmod A+user:alice:read_data/execute:allow file.1

Likewise, to grant user Tamiko inheritable read, write, and execute permissions for the newly created dir.2 and its files, you can use either one of the following commands:

  • chmod A+user:tamiko:rwx:fd:allow dir.2

  • chmod A+user:tamiko:read_data/write_data/execute:file_inherit/dir_inherit:allow dir.2