ACL entry types, which are the ACL representations of owner, group, and other,
are described in the following table.
Table 8-1 ACL Entry Types
|
|
|
|---|
owner@
|
Specifies the access granted to
the owner of the object.
|
group@
|
Specifies the access granted to the owning group
of the object.
|
everyone@
|
Specifies the access granted to any user or group that
does not match any other ACL entry.
|
user
|
With a user name, specifies the
access granted to an additional user of the object. Must include the ACL-entry-ID,
which contains a username or userID. If the value is not a valid
numeric UID or username, the ACL entry type is invalid.
|
group
|
With a group
name, specifies the access granted to an additional group of the object. Must
include the ACL-entry-ID, which contains a groupname or groupID. If the value is not
a valid numeric GID or groupname, the ACL entry type is invalid.
|
|
ACL access privileges are described in the following table.
Table 8-2 ACL Access Privileges
|
|
|
|
|---|
add_file
|
w
|
Permission
to add a new file to a directory.
|
add_subdirectory
|
p
|
On a directory, permission to
create a subdirectory.
|
append_data
|
p
|
Placeholder. Not currently implemented.
|
delete
|
d
|
Permission to delete a file.
|
delete_child
|
D
|
Permission to delete
a file or directory within a directory.
|
execute
|
x
|
Permission to execute a file or
search the contents of a directory.
|
list_directory
|
r
|
Permission to list the contents of a
directory.
|
read_acl
|
c
|
Permission to read the ACL (ls).
|
read_attributes
|
a
|
Permission to read basic attributes (non-ACLs) of
a file. Think of basic attributes as the stat level attributes. Allowing this
access mask bit means the entity can execute ls(1) and stat(2).
|
read_data
|
r
|
Permission to read
the contents of the file.
|
read_xattr
|
R
|
Permission to read the extended attributes of a
file or perform a lookup in the file's extended attributes directory.
|
synchronize
|
s
|
Placeholder. Not currently
implemented.
|
write_xattr
|
W
|
Permission to create extended attributes or write to the extended attributes directory.Granting this
permission to a user means that the user can create an extended attribute
directory for a file. The attribute file's permissions control the user's access to
the attribute.
|
write_data
|
w
|
Permission to modify or replace the contents of a file.
|
write_attributes
|
A
|
Permission to
change the times associated with a file or directory to an arbitrary value.
|
write_acl
|
C
|
Permission
to write the ACL or the ability to modify the ACL by
using the chmod command.
|
write_owner
|
o
|
Permission to change the file's owner or group. Or, the
ability to execute the chown or chgrp commands on the file.Permission to take
ownership of a file or permission to change the group ownership of the
file to a group of which the user is a member. If
you want to change the file or group ownership to an arbitrary user
or group, then the PRIV_FILE_CHOWN privilege is required.
|
|
ACL Inheritance
The purpose of using ACL inheritance is so that a newly created
file or directory can inherit the ACLs they are intended to inherit, but
without disregarding the existing permission bits on the parent directory.
By default, ACLs are not propagated. If you set a non-trivial ACL
on a directory, it is not inherited to any subsequent directory. You must
specify the inheritance of an ACL on a file or directory.
The optional inheritance flags are described in the following table.
Table 8-3 ACL Inheritance Flags
|
|
|
|
|---|
file_inherit
|
f
|
Only inherit the ACL from the parent directory to the directory's files.
|
dir_inherit
|
d
|
Only
inherit the ACL from the parent directory to the directory's subdirectories.
|
inherit_only
|
i
|
Inherit the
ACL from the parent directory but applies only to newly created files or
subdirectories and not the directory itself. This flag requires the file_inherit flag, the
dir_inherit flag, or both, to indicate what to inherit.
|
no_propagate
|
n
|
Only inherit the ACL from
the parent directory to the first-level contents of the directory, not the second-level
or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both,
to indicate what to inherit.
|
-
|
N/A
|
No permission granted.
|
|
In addition, you can set a default ACL inheritance policy on the
file system that is more strict or less strict by using the
aclinherit
file system property. For more information, see the next section.
ACL Property (aclinherit)
The ZFS file system includes the
aclinherit property to determine the behavior of
ACL inheritance. Values include the following:
-
discard – For new objects, no ACL entries are inherited when
a file or directory is created. The ACL on the file or directory is
equal to the permission mode of the file or directory.
-
noallow – For new objects, only inheritable ACL entries that have an access type of deny are inherited.
-
restricted – For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
-
passthrough – When property value is set to passthrough,
files are created with a mode determined by the inheritable ACEs. If no
inheritable ACEs exist that affect the mode, then the mode is set in
accordance to the requested mode from the application.
-
passthrough-x – Has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The default mode for the
aclinherit is
restricted.
No comments:
Post a Comment