Oracle Solaris 10 ZFS Administration

Menu

Introduction

Getting Started With ZFS

Mastering ZFS Basics

Managing ZFS Storage Pools

Managing ZFS File Systems

Working With ZFS Snapshots and Clones

Installing and Booting a ZFS Root File System

Troubleshooting ZFS Issues and Recovering ZFS Data

ZFS Advanced Topic

Using ACLs to Protect ZFS Files

ZFS Delegated Administration

Using ACLs to Protect ZFS Files
 
From docs.oracle.com:

Using ACLs to Protect ZFS Files.

Bloggers

Mark Shellenbaum's Weblog describes ZFS ACLs.

Lisa Week's Weblog describes NFSv4 ACLs and ZFS ACLs.

Random ramblings of a paranoid git Using ZFS ACLs to restrict what a user can do

Doug McCallum's Share Manager Weblog ACLs on Shares

Virtually All The Time Sherlock Holmes and The Adventure of the Odd Permissions

Other

Setting ACLs on ZFS Files

IBM, Working with filesystems using NFSV4 ACLs

Systemnews, Access Control Lists on Solaris OS with ZFS, by Ben Rockwood.

ECE/CIS Documentation ACLs FAQ.

ACL Property Modes

aclinherit property modes

Description

discard

For new objects, no ACL entries are inherited when a file or directory is created. The ACL on the file or directory will be equal to the permission mode of the file or directory.

noallow

For new objects, only inheritable ACL entries that have an access type of deny are inherited.

restricted

For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
(The default mode is restricted.)

passthrough

For new objects, the inheritable ACL entries are inherited with no changes made to the them. This mode, in effect, disables restricted mode.


aclmode property modes

Description

discard

All ACL entries are removed except for those needed to define the mode of the file or directory.

groupmask

User or group ACL permissions are reduced so that they are no greater than the group permission bits unless it is a user entry that has the same UID as the owner of the file or directory. Then, the ACL permissions are reduced so that they are no greater than owner permission bits.
(The default mode is groupmask.)

passthrough

For new objects, the inheritable ACL entries are inherited with no changes made to the them.

            owner@:--------------:------:deny
                   ||||||||||||||:||||||
       (r)ead data <|||||||||||||:|||||>- Not Used
      (w)rite_data -<||||||||||||:||||>-- Not Used
         e(x)ecute --<|||||||||||:|||>--- (n)o_propagate
     a(p)pend_data ---<||||||||||:||>---- (i)nherit_only
          (d)elete ----<|||||||||:|>----- (d)ir_inherit
    (D)elete_child -----<||||||||:>------ (f)ile_inherit
write_(A)ttributes -------<||||||
     (R)read xattr --------<|||||
     (W)rite_xattr ---------<||||
        read_a(c)l ----------<|||
       write_a(C)l -----------<||
     write_(o)wner ------------<|
   Not Used (s)ync -------------<
ACL Access Privileges

Access Privilege 

Compact Access Privilege 

Description 

add_file 

Permission to add a new file to a directory. 

add_subdirectory 

On a directory, permission to create a subdirectory. 

append_data 

Placeholder. Not currently implemented. 

delete 

Permission to delete a file. 

delete_child 

Permission to delete a file or directory within a directory. 

execute 

Permission to execute a file or search the contents of a directory. 

list_directory 

Permission to list the contents of a directory. 

read_acl 

Permission to read the ACL (ls).

read_attributes 

Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).

read_data 

Permission to read the contents of the file. 

read_xattr 

Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. 

synchronize 

Placeholder. Not currently implemented. 

write_xattr 

Permission to create extended attributes or write to the extended attributes directory. 

Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. 

write_data 

Permission to modify or replace the contents of a file. 

write_attributes 

Permission to change the times associated with a file or directory to an arbitrary value. 

write_acl 

Permission to write the ACL or the ability to modify the ACL by using the chmod command.

write_owner 

Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.

Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.
ACL Inheritance Flags

Inheritance Flag 

Compact Inheritance Flag 

Description 

file_inherit

f

Only inherit the ACL from the parent directory to the directory's files. 

dir_inherit

d

Only inherit the ACL from the parent directory to the directory's subdirectories. 

inherit_only

i

Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.

no_propagate

n

Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.

-

N/A 

No permission granted. 

Using ZFS ACL pass through inheritance for execute permission . In previous Solaris releases, you could apply ACL inheritance so that all files are created with 0664 or 0666 permissions. If you want to optionally include the execute bit from the file creation mode into the inherited ACL, you can use the pass through inheritance for execute permission in this release.

If aclinherit=passthrough-x is enabled on a ZFS dataset, you can include execute permission for an output file that is generated from cc or gcc tools. If the inherited ACL does not include execute permission, then the executable output from the compiler won't be executable until you use the chmod command to change the file's permissions.

Using ZFS ACL Sets . The Solaris 10 10/09 release provides the ability to apply NFSv4.style ACLs in sets, rather than apply different ACL permissions individually. The following ACL sets are provided:

  • full_set = all permissions

  • modify_set = all permissions except write_acl and write_owner

  • read_set = read_data, read_attributes, read_xattr, and read_acl

  • write_set = write_data, append_data, write_attributes, and write_xattr

These ACL sets are pre-defined and cannot be modified.

Solaris 10 Update 9:

An existing ACL is discarded during chmod(2) operations by default. This change means that the ZFS aclmode property is no longer available.