Software >> OS >> Unix >> Solaris >> ZFS >> How to use chmod command to set ACL of files or directories on ZFS filesystems

Examples

(1) To set allow all permissions to the owner with inheritance enabled using compact format.  Use '=' after 'A'

# chmod A=owner@:rwxpcCosRrWaAdD:fd:allow somedir

 

(2) To add new ACL to allow all permissions to the owner with inheritance enabled using compact format.  Use '+' after 'A'

 

# chmod A+owner@:rwxpcCosRrWaAdD:fd:allow somedir

(3) To remove ZFS ACL on the directory

# chmod A- somedir

(4) To edit a specific ACL entry, first list the ACLs with -v (lowercase v)

# ls -ldv somedir

note the ACL entry number e.g. number 2

# chmod A2=.....

verify by

# ls -ldV somedir

can also use the output of ls -lV in copy paste to the chmod command

# chmod A=owner@:rwxpcCosRrWaAdD:fd----:allow somedir

*** IMPORTANT ***

to ensure the ACL inheritance works properly, need to set the values of aclmode and aclinherit properties of the ZFS dataset where the dir resides

e.g. if somedir falls inside the ZFS dataset nrpool/data

# zfs set aclmode=mask               nrpool/data
# zfs set aclinherit=passthrough nrpool/data

 

Access Privilege
Compact Access Privilege
Description
add_file
w
Permission to add a new file to a directory.
add_subdirectory
p
On a directory, permission to create a subdirectory.
append_data
p
Not currently implemented.
delete
d
Permission to delete a file. For more information about specific delete permission behavior, see Table 8-3.
delete_child
D
Permission to delete a file or directory within a directory. For more information about specific delete_child permission behavior, see Table 8-3.
execute
x
Permission to execute a file or search the contents of a directory.
list_directory
r
Permission to list the contents of a directory.
read_acl
c
Permission to read the ACL (ls).
read_attributes
a
Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).
read_data
r
Permission to read the contents of the file.
read_xattr
R
Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory.
synchronize
s
Not currently implemented.
write_xattr
W
Permission to create extended attributes or write to the extended attributes directory.

Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute.

write_data
w
Permission to modify or replace the contents of a file.
write_attributes
A
Permission to change the times associated with a file or directory to an arbitrary value.
write_acl
C
Permission to write the ACL or the ability to modify the ACL by using the chmod command.
write_owner
o
Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.

Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.