A description of this directory ACL is as follows:
0:owner@ | Owner deny list is empty for the directory (::deny).
| 1:owner@ | Owner can read and modify the directory contents (list_directory/read_data/add_file/write_data/add_subdirectory/append_data), execute the file (execute), and modify the file's
attributes such as time stamps, extended attributes, and ACLs (write_xattr/write_attributes/write_acl). In addition, the owner is granted the ability to modify the ownership
of the directory (write_owner:allow).
| 2:group@ | Group cannot add to or modify the directory contents (add_file/write_data/add_subdirectory/append_data:deny).
| 3:group@ | Group can list and read the directory contents. In addition, group
has execute permission to the directory contents. (list_directory/read_data/execute:allow).
| 4:everyone@ | Everyone who is not user or group is denied permission to add to or
modify the contents of the directory (add_file/write_data/add_subdirectory/append_data). In addition, the permission to modify any attributes of the directory
is also denied. (write_xattr /write_attributes/write_acl/write_owner:deny).
| 5:everyone@ | Everyone who is not user or group is granted read and execute permissions
to the directory contents and the directory's attributes (list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow). The synchronize access permission is not currently
implemented.
|
7.3 Setting and Displaying ACLs on ZFS Files
You can use the chmod command to modify ACLs on ZFS files.
The following chmod syntax for modifying ACLs uses acl-specification to identify the format of the ACL. For a description of acl-specification, see 7.1.1 ACL Format Description.
Adding ACL entries
Adding an ACL entry by index-ID
% chmod Aindex-ID+acl-specification filename
|
This syntax inserts the new ACL entry at the specified index-ID location.
Adding an ACL entry for a user
% chmod A+acl-specification filename
|
Removing ACL entries
Removing an ACL entry by index-ID
% chmod Aindex-ID- filename
|
Removing an ACL entry by user
% chmod A-acl-specification filename
|
Removing an ACL from a file
Replacing an ACL entry
% chmod Aindex-ID=acl-specification filename
|
% chmod A=acl-specification filename
|
Note the space between the # (pound sign) and the index-ID.
ACL information can be displayed with the ls -v command.
Example 7-1 Modifying Trivial ACLs on ZFS Files
The following section provides examples of setting and displaying trivial ACLs.
For example, given the following ACL on file.1:
# ls -v file.1
-rw-r--r-- 1 root root 2703 Nov 4 12:37 file.1
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
|
Change the group@ permissions to read_data/write_data. For example:
# chmod A3=group@:read_data/write_data:allow file.1
# ls -v filea
-rw-r--r-- 1 root root 2703 Nov 4 12:37 file.1
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data/write_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
|
Add read_data/execute permissions for the user gozer on the test.dir directory. For example:
# chmod A+user:gozer:read_data/execute:allow test.dir
# ls -dv test.dir
drwxr-xr-x+ 2 root root 2 Nov 4 11:10 test.dir
0:user:gozer:list_directory/read_data/execute:allow
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
Remove read_data/execute permissions for user gozer. For example:
# chmod A0- test.dir
# ls -dv test.dir
drwxr-xr-x 2 root root 2 Nov 4 11:10 test.dir
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
Example 7-2 ACL Interaction With Permissions on ZFS Files
The following ACL scenarios illustrate the interaction between setting explicit
ACLs and then changing the file or directory's permission bits.
Given the following ACL on file.2:
# ls -v file.2
-rw-r--r-- 1 root root 206663 Nov 4 12:41 file.2
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
|
|