Setting and Displaying ACLs on ZFS Files in Compact
Format
You can set and display permissions on ZFS files in a compact format
that uses 14 unique letters to represent the permissions. The letters that
represent the compact permissions are listed in Table 8–2 and Table 8–3.
You can display compact ACL listings for files and directories by using
the ls -V command. For example:
# ls -V file.1
-rw-r--r-- 1 root root 206674 Jul 29 10:27 file.1
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
The compact ACL output is described as follows:
-
owner@
-
The owner is denied execute permissions to the file (x=execute).
-
owner@
-
The owner can read and modify the contents of the file (rw=read_data/write_data), (p=append_data). The owner can also modify the file's attributes such
as timestamps, extended attributes, and ACLs (A=write_xattr, W=write_attributes, C=write_acl). In addition, the owner can modify the ownership of the
file (o=write_owner).
-
group@
-
The group is denied modify and execute permissions to the
file (write_data, p=append_data,
and x=execute).
-
group@
-
The group is granted read permissions to the file (r=read_data).
-
everyone@
-
Everyone who is not user or group is denied permission to
execute or modify the contents of the file, and to modify any attributes of
the file (w=write_data, x=execute, p=append_data, A=write_xattr, W=write_attributes, C=write_acl, and o=write_owner).
-
everyone@
-
Everyone who is not user or group is granted read permissions
to the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize). The synchronize access permission
is not currently implemented.
Compact ACL format provides the following advantages over verbose ACL
format:
-
Permissions can be specified as positional arguments to the chmod command.
-
The hyphen (-) characters, which identify no permissions,
can be removed and only the required letters need to be specified.
-
Both permissions and inheritance flags are set in the same
fashion.
For information about using the verbose ACL format, see Setting and Displaying ACLs on ZFS Files in Verbose Format.
Example 8–11 Setting and Displaying ACLs in Compact Format
In the following example, a trivial ACL exists on file.1:
# ls -V file.1
-rw-r--r-- 1 root root 206674 Jul 29 10:27 file.1
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
In this example, read_data/execute permissions are added for the user gozer on file.1.
# chmod A+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r--r--+ 1 root root 206674 Jul 29 10:27 file.1
user:gozer:r-x-----------:-------:allow
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
Another way to add the same permissions for user gozer is
to insert a new ACL at a specific position, 4, for example. As such, the existing
ACLs at positions 4–6 are pushed down. For example:
# chmod A4+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r--r--+ 1 root root 206674 Jul 29 10:27 file.1
user:gozer:r-x-----------:-------:allow
owner@:--x-----------:-------:deny
owner@:rw-p---A-W-Co-:-------:allow
group@:-wxp----------:-------:deny
user:gozer:r-x-----------:-------:allow
group@:r-------------:-------:allow
everyone@:-wxp---A-W-Co-:-------:deny
everyone@:r-----a-R-c--s:-------:allow
|
In the following example, user gozer is granted read,
write, and execute permissions that are inherited for newly created files
and directories by using the compact ACL format.
# chmod A+user:gozer:rwx:fd:allow dir.2
# ls -dV dir.2
drwxr-xr-x+ 2 root root 2 Jul 29 10:44 dir.2
user:gozer:rwx-----------:fd-----:allow
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
|
You can also cut and paste permissions and inheritance flags from the ls -V output into the compact chmod format.
For example, to duplicate the permissions and inheritance flags on dir.2 for user gozer to user cindys on dir.2, copy and paste the permission and inheritance flags (rwx-----------:f------:allow) into your chmod command. For example:
# chmod A+user:cindys:rwx-----------:fd----:allow dir.2
# ls -dV dir.2
drwxr-xr-x+ 2 root root 2 Jul 29 10:44 dir.2
user:cindys:rwx-----------:fd-----:allow
user:gozer:rwx-----------:fd-----:allow
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
|
Example 8–12 ACL Inheritance With ACL Inherit Mode Set to Pass
Through
A file system that has the aclinherit property set
to passthrough inherits all inheritable ACL entries without
any modifications made to the ACL entries when they are inherited. When this
property is set to passthrough, files are created with
a permission mode that is determined by the inheritable ACEs. If no inheritable
ACEs exist that affect the permission mode, then the permission mode is set
in accordance to the requested mode from the application.
The following examples use compact ACL syntax to show how to inherit
permission bits by setting aclinherit mode to passthrough.
In this example, an ACL is set on test1.dir to
force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly created
files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry. Additionally,
directories inherit 6 other ACEs that propagate the ACEs to newly created
directories and files.
# zfs set aclinherit=passthrough tank/cindys
# pwd
/tank/cindys
# mkdir test1.dir
|
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow
test1.dir
# ls -Vd test1.dir
drwxrwx---+ 2 root root 2 Jun 20 15:26 test1.dir
owner@:rwxpdDaARWcCos:fd-----:allow
group@:rwxp----------:fd-----:allow
everyone@:--------------:fd-----:allow
|
In this example, a newly created file inherits the ACL that was specified
to be inherited to newly created files.
# cd test1.dir
# touch file.1
# ls -V file.1
-rwxrwx---+ 1 root root 0 Jun 23 09:38 file.1
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxp----------:------I:allow
everyone@:--------------:------I:allow
|
In this example, a newly created directory inherits both ACEs that control
access to this directory as well as ACEs for future propagation to children
of the newly created directory.
# mkdir subdir.1
# ls -dV subdir.1
drwxrwx---+ 2 root root 2 Jun 23 09:41 subdir.1
owner@:rwxpdDaARWcCos:fdi---I:allow
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxp----------:fdi---I:allow
group@:rwxp----------:------I:allow
everyone@:--------------:fdi---I:allow
everyone@:--------------:------I:allow
|
The -di-- and f-i--- entries are
for propagating inheritance and are not considered during access control.
In this example, a file is created with a trivial ACL in another directory
where inherited ACEs are not present.
# cd /tank/cindys
# mkdir test2.dir
# cd test2.dir
# touch file.2
# ls -V file.2
-rw-r--r-- 1 root root 0 Jun 23 09:50 file.2
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
|
Example 8–13 ACL Inheritance With ACL Inherit Mode Set to Pass
Through-X
When aclinherit=passthrough-x is enabled, files are
created with the execute (x) permission for owner@, group@, or everyone@, but only if execute permission
is set in the file creation mode and in an inheritable ACE that affects the
mode.
The following example shows how to inherit the execute permission by
setting aclinherit mode to passthrough-x.
# zfs set aclinherit=passthrough-x tank/cindys
|
The following ACL is set on /tank/cindys/test1.dir to
provide executable ACL inheritance for files for owner@,
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow,everyone@::fd:allow test1.dir
# ls -Vd test1.dir
drwxrwx---+ 2 root root 2 Dec 3 15:16 test1.dir
owner@:rwxpdDaARWcCos:fd-----:allow
group@:rwxp----------:fd-----:allow
everyone@:--------------:fd-----:allow
|
A file (file1) is created with requested permissions 0666. The resulting permissions are 0660. The
execution permission was not inherited because the creation mode did not request
it.
# touch test1.dir/file1
# ls -V test1.dir/file1
-rw-rw----+ 1 root root 0 Dec 3 15:17 file.1
owner@:rw-pdDaARWcCos:------I:allow
group@:rw-p----------:------I:allow
everyone@:--------------:------I:allow
|
Next, an executable called t is generated by using
the cc compiler in the testdir directory.
# cc -o t t.c
# ls -V t
-rwxrwx---+ 1 root root 7396 Dec 3 15:19 t
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxp----------:------I:allow
everyone@:--------------:------I:allow
|
# cc -o t t.c
# ls -V t
-rwxrwx---+ 1 root root 7396 Dec 3 15:19 t
owner@:rwxpdDaARWcCos:------:allow
group@:rwxp----------:------:allow
everyone@:--------------:------:allow
|
The resulting permissions are 0770 because cc requested
permissions 0777, which caused the execute permission to
be inherited from the owner@, group@,
and everyone@ entries.
Scarica il manuale in formato PDF (1709 KB)