Setting and Displaying ACLs on ZFS Files in Compact Format

Setting and Displaying ACLs on ZFS Files in Compact Format
Prev	Chapter 7. Using ACLs to Protect ZFS Files	Next

You can set and display permissions on ZFS files in a compact format that uses 14 unique letters to represent the permissions. The letters that represent the compact permissions are listed in Table 7–2 and Table 7–3.

You can display compact ACL listings for files and directories by using the ls V command. For example:

# ls -V file.1
-rw-r--r--   1 root     root      206663 Feb 16 11:00 file.1
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow

The compact ACL output is described as follows:

owner@: The owner is denied execute permissions to the file (x=execute).
owner@: The owner can read and modify the contents of the file (rw=read_data/write_data), (p=append_data). The owner can also modify the file's attributes such as timestamps, extended attributes, and ACLs (A=write_xattr, W=write_attributes, C=write_acl). In addition, the owner can modify the ownership of the file (O=write_owner).
group@: The group is denied modify and execute permissions to the file (rw=read_data/write_data, p=append_data, and x=execute).
group@: The group is granted read permissions to the file (r=read_data).
everyone@: Everyone who is not user or group is denied permission to execute or modify the contents of the file, and to modify any attributes of the file (w=write_data, x=execute, p=append_data, A=write_xattr, W=write_attributes, C=write_acl, and o=write_owner).
everyone@: Everyone who is not user or group is granted read permissions to the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize). The synchronize access permission is not currently implemented.

Compact ACL format provides the following advantages over verbose ACL format:

Permissions can be specified as positional arguments to the chmod command.
The hyphen (-) characters, which identify no permissions, can be removed and only the required letters need to be specified.
Both permissions and inheritance flags are set in the same fashion.

For information about using the verbose ACL format, see Setting and Displaying ACLs on ZFS Files in Verbose Format.

Example 7.10. Setting and Displaying ACLs in Compact Format

In the following example, a trivial ACL exists on file.1:

# ls -V file.1
-rw-r-xr-x   1 root     root      206663 Feb 16 11:00 file.1
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

In this example, read_data/execute permissions are added for the user gozer on file.1.

# chmod A+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r-xr-x+  1 root     root      206663 Feb 16 11:00 file.1
        user:gozer:r-x-----------:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

Another way to add the same permissions for user gozer is to insert a new ACL at a specific position, 4, for example. As such, the existing ACLs at positions 4–6 are pushed down. For example:

# chmod A4+user:gozer:rx:allow file.1
# ls -V file.1
-rw-r-xr-x+  1 root     root      206663 Feb 16 11:00 file.1
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
        user:gozer:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

In the following example, user gozer is granted read, write, and execute permissions that are inherited for newly created files and directories by using the compact ACL format.

# chmod A+user:gozer:rwx:f:allow dir.1
# ls -dV dir.1
drwxr-xr-x+  2 root     root           2 Feb 23 10:37 dir.1
        user:gozer:rwx-----------:f-----:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

You can also cut and paste permissions and inheritance flags from the ls V output into the compact chmod format. For example, to duplicate the permissions and inheritance flags on dir.1 for user gozer to user cindys, copy and paste the permission and inheritance flags (rwx-----------:f-----:allow) into your chmod command. For example:

# chmod A+user:cindys:rwx-----------:f-----:allow dir.1
# ls -dV dir.1
drwxr-xr-x+  2 root     root           2 Feb 23 10:37 dir.1
       user:cindys:rwx-----------:f-----:allow
        user:gozer:rwx-----------:f-----:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow