|
Remove ACL allow permissions from everyone@. For example:
# chmod A5- file.2
# ls -v file.2
-rw-r----- 1 root root 206663 Nov 4 12:41 file.2
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
|
In the above output, the file's permission bits are reset from 655 to 650. You
have effectively removed read permissions for other from the file's permissions bits
when you removed the ACL allow permissions for everyone@.
Replace the existing ACL with read_data/write_data permissions
for everyone@. For example:
# chmod A=everyone@:read_data/write_data:allow file.23
# ls -v file.3
-rw-rw-rw-+ 1 root root 2703 Nov 4 14:52 file.3
0:everyone@:read_data/write_data:allow
|
In the above example, the chmod syntax effectively replaces
the existing ACL with read_data/write_data:allow permissions to
read/write permissions for owner, group, and other. In this model, everyone@ specifies
access to any user or group. Since we do not have an owner@ or group@ ACL entry to
override the permissions for owner and group, the permission bits are set to 666.
Replace the existing ACL with read permissions for user gozer.
For example:
# chmod A=user:gozer:read_data:allow file.3
# ls -v file.3
----------+ 1 root root 2703 Nov 4 14:55 file.3
0:user:gozer:read_data:allow
|
Using the above syntax, the file permissions are computed to be 000 because
no ACL entries exist for owner@, group@ or everyone@, which represent the traditional
permission components of a file. As the owner of the file, you can resolve this by
resetting the permissions (and the ACL) as follows:
# chmod 655 file.3
# ls -v file.3
-rw-r-xr-x+ 1 root root 2703 Nov 4 14:55 file.3
0:user:gozer::deny
1:user:gozer:read_data:allow
2:owner@:execute:deny
3:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
4:group@:write_data/append_data:deny
5:group@:read_data/execute:allow
6:everyone@:write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:deny
7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl
/synchronize:allow
|
Example 7-3 Removing Explicit ACLs on ZFS Files
You can use the chmod command to remove all explicit ACLs
on a file or directory. For example, given the following ACL:
# ls -dv test5.dir
drwxr-xr-x+ 2 root root 2 Nov 4 14:22 test5.dir
0:user:gozer:read_data:deny:file_inherit
1:user:lp:read_data:allow:file_inherit
2:owner@::deny
3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
Remove the explicit ACLs for users gozer and lp. The remaining ACL contains the default 6 values for owner@, group@, and
everyone@.
# chmod A- test5.dir
ls -dv test5.dir
drwxr-xr-x+ 2 root root 2 Nov 4 14:22 test5.dir
2:owner@::deny
3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
7.3.1 Setting ACL Inheritance on ZFS Files
By default, ACLs are not propagated through a directory structure. For example,
an explicit ACL of read_data/write_data/execute is applied for
user gozer on test.dir.
# chmod A+user:gozer:read_data/write_data/execute:allow test.dir
# ls -dv test.dir
drwxr-xr-x+ 2 root root 2 Nov 4 12:39 test.dir
0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
If a test.dir subdirectory is created, the ACE for user
gozer is not propagated. User gozer would only have access to sub.dir if
the permissions on sub.dir granted him access as the file owner,
group member, or other.
# mkdir test.dir/sub.dir
# ls -dv test.dir/sub.dir
drwxr-xr-x 2 root root 2 Nov 4 14:30 test.dir/sub.dir
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
The following series of examples identify the file and directory ACEs applied
when the file_inherit flag is set.
Add read_data/write_data permissions for files in the test.dir directory for user gozer so that he has read
access on any newly created files. For example:
# chmod A+user:gozer:read_data/write_data:allow:file_inherit test2.dir
# ls -dv test2.dir
drwxr-xr-x+ 2 root root 2 Nov 4 14:33 test2.dir
0:user:gozer:read_data/write_data:allow:file_inherit
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
|
Identify user gozer's permissions on the newly created test2.dir/file.2 file. The ACL inheritance granted, read_data:allow:file_inherit, means user gozer can read the contents of any newly created file.
# touch test2.dir/file.2
# ls -v test2.dir/file.2
-rw-r--r--+ 1 root root 0 Nov 4 14:33 test2.dir/file.2
0:user:gozer:write_data:deny
1:user:gozer:read_data/write_data:allow
2:owner@:execute:deny
3:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
4:group@:write_data/append_data/execute:deny
5:group@:read_data:allow
6:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
|
| 
Previous