Andrew Watkins wrote:> [I did post this in NFS, but I think it should be here]
>
> I am playing with ACL on snv_114 (and Storage 7110) system and I have
> noticed that strange things are happing to ACL''s or am I doing
something
> wrong.
>
> When you create a new sub-directory or file the ACL''s seem to be
incorrect.
>
Its actually doing exactly what its suppose to do. See below for
explanation.
> # zfs create rpool/export/home/andrew
> # zfs set aclinherit=passthrough rpool/export/home/andrew
> # zfs set aclmode=passthrough rpool/export/home/andrew
>
> # chown andrew:staff /export/home/andrew
> # chmod "A+user:oxygen:rwxpdDaARWcCos:fd-----:allow"
/export/home/andrew
>
> # ls -ldV /export/home/andrew
> drwxr-xr-x+ 3 andrew staff 3 Jun 19 17:09 /export/home/andrew
> user:oxygen:rwxpdDaARWcCos:fd-----:allow
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:-w-p----------:-------:deny
> group@:r-x-----------:-------:allow
> everyone@:-w-p---A-W-Co-:-------:deny
> everyone@:r-x---a-R-c--s:-------:allow
>
> # mkdir /export/home/andrew/foo
>
> # ls -ldV /export/home/andrew/foo
> drwxr-xr-x+ 2 andrew staff 2 Jun 19 17:09
> /export/home/andrew/foo
> user:oxygen:rwxpdDaARWcCos:fdi---I:allow <<Altered
The entry with the inheritance flags of "fdi" is an inherit only ACE
which does NOT affect access control and is used for future propagation
to children of the new directory.
This is done since chmod(2) *may* under some situations alter/reduce the
permission(s) of ACEs that affect access control. A chmod(2) operation
never alters "inherit only" ACEs. This then allows future
directories/files to always inherit the same ACL as its parent, or
parents parent and so on.
> user:oxygen:rwxpdDaARWcCos:------I:allow <<NEW
The "I" indicates the ACE was inherited. This is the ACE that will
used
during access control.