You can use the chmod command to modify ACLs on ZFS files. The following chmod syntax for modifying ACLs uses acl-specification to identify the format of the ACL. For a description of acl-specification, see Syntax Descriptions for Setting ACLs.
Adding ACL entries
Adding an ACL entry for a user
% chmod A+acl-specification filename
Adding an ACL entry by index-ID
% chmod Aindex-ID+acl-specification filename
This syntax inserts the new ACL entry at the specified index-ID
location.
Replacing an ACL entry
% chmod Aindex-ID=acl-specification filename
% chmod A=acl-specification filename
Removing ACL entries
Removing an ACL entry by index-ID
% chmod Aindex-ID- filename
Removing an ACL entry by user
% chmod A-acl-specification filename
Removing all explicit ACEs from a file
% chmod A- filename
Verbose ACL information is displayed by using the ls
v
command. For example:
# ls -v file.1
-rw-r--r-- 1 root root 206663 Feb 16 11:00 file.1
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
For information about using the compact ACL format, see Setting and Displaying ACLs on ZFS Files in Compact Format.
Example 7.1. Modifying Trivial ACLs on ZFS Files
This section provides examples of setting and displaying trivial ACLs.
In the following example, a trivial ACL exists on file.1
:
# ls -v file.1
-rw-r--r-- 1 root root 206663 Feb 16 11:00 file.1
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
In the following example, write_data
permissions
are granted for group@
.
#chmod A2=group@:append_data/execute:deny file.1
#chmod A3=group@:read_data/write_data:allow file.1
#ls -v file.1
-rw-rw-r-- 1 root root 206663 May 3 16:36 file.1 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 2:group@:append_data/execute:deny 3:group@:read_data/write_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
In the following example, permissions on file.1
are
set back to 644.
#chmod 644 file.1
#ls -v file.1
-rw-r--r-- 1 root root 206663 May 3 16:36 file.1 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
Example 7.2. Setting Explicit ACLs on ZFS Files
This section provides examples of setting and displaying trivial ACLs.
In the following example, read_data/execute
permissions
are added for the user gozer
on the test.dir
directory.
#chmod A+user:gozer:read_data/execute:allow test.dir
#ls -dv test.dir
drwxr-xr-x+ 2 root root 2 Feb 16 11:12 test.dir 0:user:gozer:list_directory/read_data/execute:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In the following example, read_data/execute
permissions
are removed for user gozer
.
#chmod A0- test.dir
#ls -dv test.dir
drwxr-xr-x 2 root root 2 Feb 16 11:12 test.dir 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
Example 7.3. ACL Interaction With Permissions on ZFS Files
These ACL examples illustrate the interaction between setting explicit ACLs and then changing the file or directory's permission bits.
In the following example, a trivial ACL exists on file.2
:
# ls -v file.2
-rw-r--r-- 1 root root 2703 Feb 16 11:16 file.2
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
In the following example, ACL allow permissions are removed from everyone@
.
#chmod A5- file.2
#ls -v file.2
-rw-r----- 1 root root 2703 Feb 16 11:16 file.2 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny
In this output, the file's permission bits are reset from 655 to 650.
Read permissions for everyone@
have been effectively removed
from the file's permissions bits when the ACL allow permissions are removed
for everyone@
.
In the following example, the existing ACL is replaced with read_data/write_data
permissions for everyone@
.
#chmod A=everyone@:read_data/write_data:allow file.3
#ls -v file.3
-rw-rw-rw-+ 1 root root 1532 Feb 16 11:18 file.3 0:everyone@:read_data/write_data:allow
In this output, the chmod syntax effectively replaces
the existing ACL with read_data/write_data:allow
permissions
to read/write permissions for owner, group, and everyone@
.
In this model, everyone@
specifies access to any user or
group. Since no owner@
or group@
ACL
entry exists to override the permissions for owner and group, the permission
bits are set to 666.
In the following example, the existing ACL is replaced with read permissions
for user gozer
.
#chmod A=user:gozer:read_data:allow file.3
#ls -v file.3
----------+ 1 root root 1532 Feb 16 11:18 file.3 0:user:gozer:read_data:allow
In this output, the file permissions are computed to be 000 because
no ACL entries exist for owner@
, group@
,
or everyone@
, which represent the traditional permission
components of a file. The owner of the file can resolve this problem by resetting
the permissions (and the ACL) as follows:
#chmod 655 file.3
#ls -v file.3
-rw-r-xr-x+ 1 root root 0 Mar 8 13:24 file.3 0:user:gozer::deny 1:user:gozer:read_data:allow 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 4:group@:write_data/append_data:deny 5:group@:read_data/execute:allow 6:everyone@:write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/execute/read_attributes/read_acl /synchronize:allow
Example 7.4. Restoring Trivial ACLs on ZFS Files
You can use the chmod command to remove all explicit ACLs on a file or directory.
In the following example, 2 explicit ACEs exist on test5.dir
.
# ls -dv test5.dir
drwxr-xr-x+ 2 root root 2 Feb 16 11:23 test5.dir
0:user:gozer:read_data:file_inherit:deny
1:user:lp:read_data:file_inherit:deny
2:owner@::deny
3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
In the following example, the explicit ACLs for users gozer
and lp
are removed. The remaining ACL contains the six default values
for owner@
, group@
, and everyone@
.
#chmod A- test5.dir
#ls -dv test5.dir
drwxr-xr-x 2 root root 2 Feb 16 11:23 test5.dir 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
You can determine how ACLs are inherited or not inherited on files and directories. By default, ACLs are not propagated. If you set an explicit ACL on a directory, the ACL is not inherited by any subsequent directory. You must specify the inheritance of an ACL on a file or directory.
In addition, two ACL properties are provided that can be set globally
on file systems: aclinherit
and aclmode
.
By default, aclinherit is set to secure
and aclmode is set to groupmask
.
For more information, see ACL Inheritance.
Example 7.5. Default ACL Inheritance
By default, ACLs are not propagated through a directory structure.
In the following example, an explicit ACE of read_data/write_data/execute
is applied for user gozer
on test.dir
.
#chmod A+user:gozer:read_data/write_data/execute:allow test.dir
#ls -dv test.dir
drwxr-xr-x+ 2 root root 2 Feb 17 14:45 test.dir 0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
If a test.dir
subdirectory is created, the ACE
for user gozer
is not propagated. User gozer
would
only have access to sub.dir
if the permissions on sub.dir
granted him access as the file owner, group member, or everyone@
.
#mkdir test.dir/sub.dir
#ls -dv test.dir/sub.dir
drwxr-xr-x 2 root root 2 Feb 17 14:46 test.dir/sub.dir 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
Example 7.6. Granting ACL Inheritance on Files and Directories
This series of examples identify the file and directory ACEs that are
applied when the file_inherit
flag is set.
In the following example, read_data/write_data
permissions
are added for files in the test.dir
directory for user gozer
so that he has read access on any newly created files.
#chmod A+user:gozer:read_data/write_data:file_inherit:allow test2.dir
#ls -dv test2.dir
drwxr-xr-x+ 2 root root 2 Feb 17 14:47 test2.dir 0:user:gozer:read_data/write_data:file_inherit:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In the following example, user gozer's permissions are applied on the
newly created test2.dir/file.2
file. The ACL inheritance
granted, read_data:file_inherit:allow
, means user gozer
can read the contents of any newly created file.
#touch test2.dir/file.2
#ls -v test2.dir/file.2
-rw-r--r--+ 1 root root 0 Feb 17 14:49 test2.dir/file.2 0:user:gozer:write_data:deny 1:user:gozer:read_data/write_data:allow 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes+ /write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
Because the aclmode for this file is set to the
default mode, groupmask
, user gozer
does
not have write_data
permission on file.2
because
the group permission of the file does not allow it.
Note the inherit_only
permission, which is applied
when the file_inherit
or dir_inherit
flags
are set, is used to propagate the ACL through the directory structure. As
such, user gozer
is only granted or denied permission from everyone@
permissions unless he is the owner of the file or a member
of the owning group of the file. For example:
#mkdir test2.dir/subdir.2
#ls -dv test2.dir/subdir.2
drwxr-xr-x+ 2 root root 2 Feb 17 14:50 test2.dir/subdir.2 0:user:gozer:list_directory/read_data/add_file/write_data:file_inherit /inherit_only:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
The following series of examples identify the file and directory ACLs
that are applied when both the file_inherit
and dir_inherit
flags are set.
In the following example, user gozer
is granted read,
write, and execute permissions that are inherited for newly created files
and directories.
#chmod A+user:gozer:read_data/write_data/execute:file_inherit/dir_inherit:allow test3.dir
#ls -dv test3.dir
drwxr-xr-x+ 2 root root 2 Feb 17 14:51 test3.dir 0:user:gozer:list_directory/read_data/add_file/write_data/execute :file_inherit/dir_inherit:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
#touch test3.dir/file.3
#ls -v test3.dir/file.3
-rw-r--r--+ 1 root root 0 Feb 17 14:53 test3.dir/file.3 0:user:gozer:write_data/execute:deny 1:user:gozer:read_data/write_data/execute:allow 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
#mkdir test3.dir/subdir.1
#ls -dv test3.dir/subdir.1
drwxr-xr-x+ 2 root root 2 May 4 15:00 test3.dir/subdir.1 0:user:gozer:list_directory/read_data/add_file/write_data/execute :file_inherit/dir_inherit/inherit_only:allow 1:user:gozer:add_file/write_data:deny 2:user:gozer:list_directory/read_data/add_file/write_data/execute:allow 3:owner@::deny 4:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 5:group@:add_file/write_data/add_subdirectory/append_data:deny 6:group@:list_directory/read_data/execute:allow 7:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 8:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
In these examples, because the permission bits of the parent directory
for group@
and everyone@
deny write
and execute permissions, user gozer
is denied write and
execute permissions. The default aclmode property is secure
, which means that write_data
and execute
permissions are not inherited.
In the following example, user gozer
is granted
read, write, and execute permissions that are inherited for newly created
files, but are not propagated to subsequent contents of the directory.
#chmod A+user:gozer:read_data/write_data/execute:file_inherit/no_propagate:allow test4.dir
#ls -dv test4.dir
drwxr-xr-x+ 2 root root 2 Feb 17 14:54 test4.dir 0:user:gozer:list_directory/read_data/add_file/write_data/execute :file_inherit/no_propagate:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
As the following example illustrates, when a new subdirectory is created,
user gozer
's read_data/write_data/execute
permission
for files are not propagated to the new sub4.dir
directory.
#mkdir test4.dir/sub4.dir
#ls -dv test4.dir/sub4.dir
drwxr-xr-x 2 root root 2 Feb 17 14:57 test4.dir/sub4.dir 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
As the following example illustrates, gozer
's read_data/write_data/execute
permission for files is propagated to the newly created file.
#touch test4.dir/file.4
#ls -v test4.dir/file.4
-rw-r--r--+ 1 root root 0 May 4 15:02 test4.dir/file.4 0:user:gozer:write_data/execute:deny 1:user:gozer:read_data/write_data/execute:allow 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
Example 7.7. ACL Inheritance With ACL Mode Set to Passthrough
If the aclmode
property on the tank/cindy
file
system is set to passthrough
, then user gozer
would
inherit the ACL applied on test4.dir
for the newly created file.4
as follows:
#zfs set aclmode=passthrough tank/cindy
#touch test4.dir/file.4
#ls -v test4.dir/file.4
-rw-r--r--+ 1 root root 0 Feb 17 15:15 test4.dir/file.4 0:user:gozer:read_data/write_data/execute:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 3:group@:write_data/append_data/execute:deny 4:group@:read_data:allow 5:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
This output illustrates that the read_data/write_data/execute:allow:file_inherit/dir_inherit
ACL that was set on the parent directory, test4.dir
,
is passed through to user gozer
.
Example 7.8. ACL Inheritance With ACL Mode Set to Discard
If the aclmode property on a file system is set
to discard
, then ACLs can potentially be discarded when
the permission bits on a directory change. For example:
#zfs set aclmode=discard tank/cindy
#chmod A+user:gozer:read_data/write_data/execute:dir_inherit:allow test5.dir
#ls -dv test5.dir
drwxr-xr-x+ 2 root root 2 Feb 16 11:23 test5.dir 0:user:gozer:list_directory/read_data/add_file/write_data/execute :dir_inherit:allow 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
If, at a later time, you decide to tighten the permission bits on a directory, the explicit ACL is discarded. For example:
#chmod 744 test5.dir
#ls -dv test5.dir
drwxr--r-- 2 root root 2 Feb 16 11:23 test5.dir 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data/execute:deny 3:group@:list_directory/read_data:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /execute/write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/read_attributes/read_acl /synchronize:allow
Example 7.9. ACL Inheritance With ACL Inherit Mode Set to Noallow
In the following example, two explicit ACLs with file inheritance are
set. One ACL allows read_data
permission, and one ACL denies read_data
permission. This example also illustrates how you can
specify two ACEs in the same chmod command.
#zfs set aclinherit=nonallow tank/cindy
#chmod A+user:gozer:read_data:file_inherit:deny,user:lp:read_data:file_inherit:allow test6.dir
#ls -dv test6.dir
drwxr-xr-x+ 2 root root 2 May 4 14:23 test6.dir 0:user:gozer:read_data:file_inherit:deny 1:user:lp:read_data:file_inherit:allow 2:owner@::deny 3:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 4:group@:add_file/write_data/add_subdirectory/append_data:deny 5:group@:list_directory/read_data/execute:allow 6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
As the following example shows, when a new file is created, the ACL
that allows read_data
permission is discarded.
#touch test6.dir/file.6
#ls -v test6.dir/file.6
-rw-r--r--+ 1 root root 0 May 4 13:44 test6.dir/file.6 0:user:gozer:read_data:deny 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 3:group@:write_data/append_data/execute:deny 4:group@:read_data:allow 5:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow