From owner-freebsd-fs@freebsd.org  Wed Apr 12 19:39:46 2017
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1EEFD3BE67
 for <freebsd-fs@mailman.ysv.freebsd.org>; Wed, 12 Apr 2017 19:39:46 +0000 (UTC)
 (envelope-from chris@stankevitz.com)
Received: from mango.stankevitz.com (mango.stankevitz.com [208.79.93.194])
 by mx1.freebsd.org (Postfix) with ESMTP id E301815F
 for <freebsd-fs@freebsd.org>; Wed, 12 Apr 2017 19:39:46 +0000 (UTC)
 (envelope-from chris@stankevitz.com)
Received: from stink.local (209-203-101-124.static.twtelecom.net
 [209.203.101.124])
 by mango.stankevitz.com (Postfix) with ESMTPSA id 1F40F3CCAD;
 Wed, 12 Apr 2017 12:39:46 -0700 (PDT)
Subject: Re: ZFS ACL Inheritance: umask and canonical ACEs
To: Chris Stankevitz <chris-freebsd-fs@stankevitz.com>, freebsd-fs@freebsd.org
References: <5aaf7f68-d099-c72a-c396-82b6597e7e01@stankevitz.com>
From: Chris Stankevitz <chris@stankevitz.com>
Message-ID: <43807c41-d553-04cb-8b41-d7a809ba6403@stankevitz.com>
Date: Wed, 12 Apr 2017 12:39:44 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <5aaf7f68-d099-c72a-c396-82b6597e7e01@stankevitz.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2017 19:39:47 -0000

On 4/12/17 11:07 AM, Chris Stankevitz wrote:
  2. How do I tell ZFS/ACL that I do not want owner@, group@, or
> everything@ ACEs created unless explicitly requested by setfacl?  I do
> not want "extra" ACEs to appear on files I create within a particular
> directory -- even these "canonical" ACEs.

https://github.com/freebsd/freebsd/blob/master/sys/kern/subr_acl_nfs4.c

 From sys/kern/subr_acl_nfsv4.c acl_nfs4_compute_inherited_acl_psarc 
(which I'm guessing is called when a file is created):

_acl_append(aclp, ACL_USER_OBJ, user_allow ...
_acl_append(aclp, ACL_GROUP_OBJ, group_allow ...
_acl_append(aclp, ACL_EVERYONE, everyone_allow ...

So it looks like I must have an @owner, @group, and @everyone at 
creation.  On Windows if you have a directory containing just one 
to-be-inherited ACE -- when you create a file within that directory, 
that new file also contains just one ACE.  Apparently on FreeBSD/ZFS you 
get some more "special" ACEs that appear whether you want them or not.

My Windows users (via Samba) are not used to these "bonus ACEs" 
appearing when they create files.

Chris