1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Shares and Projects
  3. Access Control Lists for Filesystems
  4. ACL Inheritance Behavior

ACL Inheritance Behavior

When a new file or directory is created, it is possible to inherit existing ACL settings from the parent directory. This property controls how this inheritance works. These property settings usually only affect ACL entries that are flagged as inheritable - other entries are not propagated regardless of this property setting. However, all trivial ACL entries are inheritable when used with SMB. A trivial ACL represents the traditional UNIX owner/group/other entries. To edit the ACL inheritance behavior, see Editing a Project - BUI, CLI.

Table 4-62 ACL Inheritance Behavior Values

BUI Value CLI Value Description

Do not inherit entries

discard

No ACL entries are inherited. The file or directory is created according to the client and protocol being used.

Only inherit deny entries

noallow

Only inheritable ACL entries specifying deny permissions are inherited.

Inherit all but "write ACL" and "change owner"

restricted

Removes the write_acl and write_owner permissions when the ACL entry is inherited, but otherwise leaves inheritable ACL entries untouched. This is the default.

Inherit all entries

passthrough

All inheritable ACL entries are inherited. The passthrough mode is typically used to cause all data files to be created with an identical mode in a directory tree. An administrator sets up ACL inheritance so that all files are created with a mode, such as 0664 or 0666.

Inherit all but "execute" when not specified

passthrough-x

Same as passthrough except that the owner, group, and everyone ACL entries inherit the execute permission only if the file creation mode also requests the execute bit. The passthrough setting works as expected for data files, but you might want to optionally include the execute bit from the file creation mode into the inherited ACL. One example is an output file that is generated from tools, such as cc or gcc. If the inherited ACL does not include the execute bit, then the output executable from the compiler won't be executable until you use chmod(1) to change the file's permissions.

Inherit all, but preserve mode from client

passthrough-mode-preserve

Inheritable ACL entries are inherited, while preserving the creation mode specified by the application. This preserves the inheritance bits so SMB creates ACLs that interoperate well with shares accessed over NFS and SMB simultaneously. This property setting is only available after applying the deferred update for ACL Passthrough with Mode Preservation. For more information, see Deferred Updates in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

When using SMB to create a file in a directory with a trivial ACL, all ACL entries are inherited. As a result, the following behavior occurs:

  • Inheritance bits display differently when viewed in SMB or NFS. When viewing the ACL directory in SMB, inheritance bits are displayed. In NFS, inheritance bits are not displayed.

  • When a file is created in a directory using SMB, its ACL entries are shown as inherited; however, when viewed through NFS, the directory has no inheritable ACL entries.

  • If the ACL is changed so that it is no longer trivial, for example, by adding an access control entry (ACE), this behavior does not occur.

  • If the ACL is modified using SMB, the resulting ACL will have the previously synthetic inheritance bits turned into real inheritance bits.

Related Topics

Project Properties