1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
  3. Setting ACLs on ZFS Files

Setting ACLs on ZFS Files

The primary rules of ACL access on a ZFS file are as follows:

  • ZFS processes ACL entries in the order they are listed in the ACL, from the top down.

  • Only ACL entries where the specified user matches the requester of the access are processed.

  • Once an allow permission has been granted, it cannot be denied by a subsequent ACL deny entry in the same ACL permission set.

  • The owner of the file is granted the write_acl permission unconditionally even if the permission is explicitly denied. Otherwise, any permission left unspecified is denied.

    In the cases of deny permissions or when an access permission is missing, the privilege subsystem determines the access request that is granted for the owner of the file or for superuser. This mechanism prevents owners of files from getting locked out of their files and enables superuser to modify files for recovery purposes.