Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11.1 Administration: ZFS File Systems Oracle Solaris 11.1 Information Library |
1. Oracle Solaris ZFS File System (Introduction)
2. Getting Started With Oracle Solaris ZFS
3. Managing Oracle Solaris ZFS Storage Pools
4. Managing ZFS Root Pool Components
5. Managing Oracle Solaris ZFS File Systems
6. Working With Oracle Solaris ZFS Snapshots and Clones
7. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
Syntax Descriptions for Setting ACLs
Setting and Displaying ACLs on ZFS Files in Verbose Format
Setting ACL Inheritance on ZFS Files in Verbose Format
Applying Special Attributes to ZFS Files
8. Oracle Solaris ZFS Delegated Administration
9. Oracle Solaris ZFS Advanced Topics
10. Oracle Solaris ZFS Troubleshooting and Pool Recovery
11. Archiving Snapshots and Root Pool Recovery
12. Recommended Oracle Solaris ZFS Practices
You can set and display permissions on ZFS files in a compact format that uses 14 unique letters to represent the permissions. The letters that represent the compact permissions are listed in Table 7-2 and Table 7-4.
You can display compact ACL listings for files and directories by using the ls -V command. For example:
# ls -V file.1 -rw-r--r-- 1 root root 206695 Jul 20 14:27 file.1 owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:r-----a-R-c--s:-------:allow
The compact ACL output is described as follows:
The owner can read and modify the contents of the file (rw=read_data/write_data), (p=append_data). The owner can also modify the file's attributes such as timestamps, extended attributes, and ACLs (a=read_attributes, W=write_xattr, R=read_xattr, A=write_attributes, c=read_acl, C=write_acl). In addition, the owner can modify the ownership of the file (o=write_owner).
The synchronize (s) access permission is not currently implemented.
The group is granted read permissions to the file (r=read_data) and the file's attributes (a=read_attributes, R=read_xattr, c=read_acl).
The synchronize (s) access permission is not currently implemented.
Everyone who is not user or group is granted read permissions to the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize).
The synchronize (s) access permission is not currently implemented.
Compact ACL format provides the following advantages over verbose ACL format:
Permissions can be specified as positional arguments to the chmod command.
The hyphen (-) characters, which identify no permissions, can be removed and only the required letters need to be specified.
Both permissions and inheritance flags are set in the same fashion.
For information about using the verbose ACL format, see Setting and Displaying ACLs on ZFS Files in Verbose Format.
Example 7-11 Setting and Displaying ACLs in Compact Format
In the following example, a trivial ACL exists on file.1:
# ls -V file.1 -rw-r--r-- 1 root root 206695 Jul 20 14:27 file.1 owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:r-----a-R-c--s:-------:allow
In this example, read_data/execute permissions are added for the user gozer on file.1.
# chmod A+user:gozer:rx:allow file.1 # ls -V file.1 -rw-r--r--+ 1 root root 206695 Jul 20 14:27 file.1 user:gozer:r-x-----------:-------:allow owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:r-----a-R-c--s:-------:allow
In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files and directories by using the compact ACL format.
# chmod A+user:gozer:rwx:fd:allow dir.2 # ls -dV dir.2 drwxr-xr-x+ 2 root root 2 Jul 20 14:33 dir.2 user:gozer:rwx-----------:fd-----:allow owner@:rwxp-DaARWcCos:-------:allow group@:r-x---a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow
You can also cut and paste permissions and inheritance flags from the ls -V output into the compact chmod format. For example, to duplicate the permissions and inheritance flags on dir.2 for user gozer to user cindy on dir.2, copy and paste the permission and inheritance flags (rwx-----------:fd-----:allow) into your chmod command. For example:
# chmod A+user:cindy:rwx-----------:fd-----:allow dir.2 # ls -dV dir.2 drwxr-xr-x+ 2 root root 2 Jul 20 14:33 dir.2 user:cindy:rwx-----------:fd-----:allow user:gozer:rwx-----------:fd-----:allow owner@:rwxp-DaARWcCos:-------:allow group@:r-x---a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow
Example 7-12 ACL Inheritance With ACL Inherit Mode Set to Pass Through
A file system that has the aclinherit property set to passthrough inherits all inheritable ACL entries without any modifications made to the ACL entries when they are inherited. When this property is set to passthrough, files are created with a permission mode that is determined by the inheritable ACEs. If no inheritable ACEs exist that affect the permission mode, then the permission mode is set in accordance to the requested mode from the application.
The following examples use compact ACL syntax to show how to inherit permission bits by setting aclinherit mode to passthrough.
In this example, an ACL is set on test1.dir to force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly created files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry.
# zfs set aclinherit=passthrough tank/cindy # pwd /tank/cindy # mkdir test1.dir
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow, everyone@::fd:allow test1.dir # ls -Vd test1.dir drwxrwx---+ 2 root root 2 Jul 20 14:42 test1.dir owner@:rwxpdDaARWcCos:fd-----:allow group@:rwxp----------:fd-----:allow everyone@:--------------:fd-----:allow
In this example, a newly created file inherits the ACL that was specified to be inherited to newly created files.
# cd test1.dir # touch file.1 # ls -V file.1 -rwxrwx---+ 1 root root 0 Jul 20 14:44 file.1 owner@:rwxpdDaARWcCos:------I:allow group@:rwxp----------:------I:allow everyone@:--------------:------I:allow
In this example, a newly created directory inherits both ACEs that control access to this directory as well as ACEs for future propagation to children of the newly created directory.
# mkdir subdir.1 # ls -dV subdir.1 drwxrwx---+ 2 root root 2 Jul 20 14:45 subdir.1 owner@:rwxpdDaARWcCos:fd----I:allow group@:rwxp----------:fd----I:allow everyone@:--------------:fd----I:allow
The fd----I entries are for propagating inheritance and are not considered during access control.
In the following example, a file is created with a trivial ACL in another directory where inherited ACEs are not present.
# cd /tank/cindy # mkdir test2.dir # cd test2.dir # touch file.2 # ls -V file.2 -rw-r--r-- 1 root root 0 Jul 20 14:48 file.2 owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:r-----a-R-c--s:-------:allow
Example 7-13 ACL Inheritance With ACL Inherit Mode Set to Pass Through-X
When aclinherit=passthrough-x is enabled, files are created with the execute (x) permission for owner@, group@, or everyone@, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The following example shows how to inherit the execute permission by setting aclinherit mode to passthrough-x.
# zfs set aclinherit=passthrough-x tank/cindy
The following ACL is set on /tank/cindy/test1.dir to provide executable ACL inheritance for files for owner@.
# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow,group@:rwxp:fd:allow, everyone@::fd:allow test1.dir # ls -Vd test1.dir drwxrwx---+ 2 root root 2 Jul 20 14:50 test1.dir owner@:rwxpdDaARWcCos:fd-----:allow group@:rwxp----------:fd-----:allow everyone@:--------------:fd-----:allow
A file (file1) is created with requested permissions 0666. The resulting permissions are 0660. The execution permission was not inherited because the creation mode did not request it.
# touch test1.dir/file1 # ls -V test1.dir/file1 -rw-rw----+ 1 root root 0 Jul 20 14:52 test1.dir/file1 owner@:rw-pdDaARWcCos:------I:allow group@:rw-p----------:------I:allow everyone@:--------------:------I:allow
Next, an executable called t is generated by using the cc compiler in the testdir directory.
# cc -o t t.c # ls -V t -rwxrwx---+ 1 root root 7396 Dec 3 15:19 t owner@:rwxpdDaARWcCos:------I:allow group@:rwxp----------:------I:allow everyone@:--------------:------I:allow
The resulting permissions are 0770 because cc requested permissions 0777, which caused the execute permission to be inherited from the owner@, group@, and everyone@ entries.
Example 7-14 ACL Interaction With chmod Operations on ZFS Files
The following examples illustrate how specific aclmode and aclinherit property values influence the interaction of existing ACLs with a chmod operation that changes file or directory permissions to either reduce or expand any existing ACL permissions to be consistent with the owning group.
In this example, the aclmode property is set to mask and the aclinherit property is set to restricted. The ACL permissions in this example are displayed in compact mode, which more easily illustrates changing permissions.
The original file and group ownership and ACL permissions are as follows:
# zfs set aclmode=mask pond/whoville # zfs set aclinherit=restricted pond/whoville # ls -lV file.1 -rwxrwx---+ 1 root root 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:rw-p--aARWc---:-------:allow group:staff:rw-p--aARWc---:-------:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--aARWc--s:-------:allow everyone@:------a-R-c--s:-------:allow
A chown operation changes the file ownership on file.1 and the output is now seen by the owning user, amy. For example:
# chown amy:staff file.1 # su - amy $ ls -lV file.1 -rwxrwx---+ 1 amy staff 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:rw-p--aARWc---:-------:allow group:staff:rw-p--aARWc---:-------:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--aARWc--s:-------:allow everyone@:------a-R-c--s:-------:allow
The following chmod operation changes the permissions to a more restrictive mode. In this example, the modified sysadmin group's and staff group's ACL permissions do not exceed the owning group's permissions.
$ chmod 640 file.1 $ ls -lV file.1 -rw-r-----+ 1 amy staff 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:r-----a-R-c---:-------:allow group:staff:r-----a-R-c---:-------:allow owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow
The following chmod operation changes the permissions to a less restrictive mode. In this example, the modified sysadmin group's and staff group's ACL permissions are restored to allow the same permissions as the owning group.
$ chmod 770 file.1 $ ls -lV file.1 -rwxrwx---+ 1 amy staff 206695 Aug 30 16:03 file.1 user:amy:r-----a-R-c---:-------:allow user:rory:r-----a-R-c---:-------:allow group:sysadmin:rw-p--aARWc---:-------:allow group:staff:rw-p--aARWc---:-------:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--aARWc--s:-------:allow everyone@:------a-R-c--s:-------:allow