1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
  3. Setting ACL Inheritance on ZFS Files
  4. Granting ACLs That Are Inherited by Files

Granting ACLs That Are Inherited by Files

This section identifies the file ACEs that are applied when the file_inherit flag is set.

In the following example, an administrator who is assigned the Object Management rights profile adds read_data/write_data permissions for user alice so that she has read access on any newly created files in the test2.dir directory. 

$ pfbash ; chmod A+user:alice:read_data/write_data:file_inherit:allow test2.dir
$ ls -dv test2.dir
drwxr-xr-x+  2 root     root           2 Jul 20 14:55 test2.dir
0:user:alice:read_data/write_data:file_inherit:allow
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
2:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow

In the following example, user alice's permissions are applied on the newly created test2.dir/file.2 file. Because she is granted read_data:file_inherit:allow, she can read the contents of any newly created file. 

$ touch test2.dir/file.2
$ ls -v test2.dir/file.2
-rw-r--r--+  1 root     root           0 Jul 20 14:56 test2.dir/file.2
0:user:alice:read_data:inherited:allow
1:owner@:read_data/write_data/append_data/read_xattr/write_xattr
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow

Because the aclinherit property for this file system is set to the default mode, restricted, user alice does not have write_data permission on file.2 because the group permission of the file does not allow it.

The inherit_only permission, which is applied when the file_inherit or dir_inherit flags are set, is used to propagate the ACL through the directory structure. As such, user alice is granted or denied permission from everyone@ permissions only if he is the file owner or is a member of the file's group owner. For example: 

$ mkdir test2.dir/subdir.2
$ ls -dv test2.dir/subdir.2
drwxr-xr-x+  2 root     root           2 Jul 20 14:57 test2.dir/subdir.2
0:user:alice:list_directory/read_data/add_file/write_data:file_inherit
/inherit_only/inherited:allow
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
2:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow