Sun Microsystems
Products & Services
 
Support & Training
 
 

Previous Previous     Contents     Next Next

A description of this directory ACL is as follows:

0:owner@

Owner deny list is empty for the directory (::deny).

1:owner@

Owner can read and modify the directory contents (list_directory/read_data/add_file/write_data/add_subdirectory/append_data), execute the file (execute), and modify the file's attributes such as time stamps, extended attributes, and ACLs (write_xattr/write_attributes/write_acl). In addition, the owner is granted the ability to modify the ownership of the directory (write_owner:allow).

2:group@

Group cannot add to or modify the directory contents (add_file/write_data/add_subdirectory/append_data:deny).

3:group@

Group can list and read the directory contents. In addition, group has execute permission to the directory contents. (list_directory/read_data/execute:allow).

4:everyone@

Everyone who is not user or group is denied permission to add to or modify the contents of the directory (add_file/write_data/add_subdirectory/append_data). In addition, the permission to modify any attributes of the directory is also denied. (write_xattr /write_attributes/write_acl/write_owner:deny).

5:everyone@

Everyone who is not user or group is granted read and execute permissions to the directory contents and the directory's attributes (list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow). The synchronize access permission is not currently implemented.

7.3 Setting and Displaying ACLs on ZFS Files

You can use the chmod command to modify ACLs on ZFS files. The following chmod syntax for modifying ACLs uses acl-specification to identify the format of the ACL. For a description of acl-specification, see 7.1.1 ACL Format Description.

  • Adding ACL entries

    • Adding an ACL entry by index-ID

      % chmod Aindex-ID+acl-specification filename

      This syntax inserts the new ACL entry at the specified index-ID location.

    • Adding an ACL entry for a user

      % chmod A+acl-specification filename

  • Removing ACL entries

    • Removing an ACL entry by index-ID

      % chmod Aindex-ID- filename

    • Removing an ACL entry by user

      % chmod A-acl-specification filename

    • Removing an ACL from a file

      % chmod A- filename

  • Replacing an ACL entry

    % chmod Aindex-ID=acl-specification filename

    % chmod A=acl-specification filename

Note the space between the # (pound sign) and the index-ID.

ACL information can be displayed with the ls -v command.

Example 7-1 Modifying Trivial ACLs on ZFS Files

The following section provides examples of setting and displaying trivial ACLs.

For example, given the following ACL on file.1:

# ls -v file.1
-rw-r--r--   1 root     root        2703 Nov  4 12:37 file.1
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

Change the group@ permissions to read_data/write_data. For example:

# chmod A3=group@:read_data/write_data:allow file.1
# ls -v filea
-rw-r--r--   1 root     root        2703 Nov  4 12:37 file.1
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data/write_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

Add read_data/execute permissions for the user gozer on the test.dir directory. For example:

# chmod A+user:gozer:read_data/execute:allow test.dir
# ls -dv test.dir
drwxr-xr-x+  2 root     root           2 Nov  4 11:10 test.dir
     0:user:gozer:list_directory/read_data/execute:allow
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

Remove read_data/execute permissions for user gozer. For example:

# chmod A0- test.dir
# ls -dv test.dir
drwxr-xr-x   2 root     root           2 Nov  4 11:10 test.dir
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@:add_file/write_data/add_subdirectory/append_data:deny
     3:group@:list_directory/read_data/execute:allow
     4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

Example 7-2 ACL Interaction With Permissions on ZFS Files

The following ACL scenarios illustrate the interaction between setting explicit ACLs and then changing the file or directory's permission bits.

Given the following ACL on file.2:

# ls -v file.2
-rw-r--r--   1 root     root      206663 Nov  4 12:41 file.2
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

Previous Previous     Contents     Next Next