From owner-freebsd-fs@freebsd.org Wed Apr 12 18:12:46 2017 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D5ECD3B92E for ; Wed, 12 Apr 2017 18:12:46 +0000 (UTC) (envelope-from chris@stankevitz.com) Received: from mango.stankevitz.com (mango.stankevitz.com [208.79.93.194]) by mx1.freebsd.org (Postfix) with ESMTP id 20B408BE for ; Wed, 12 Apr 2017 18:12:45 +0000 (UTC) (envelope-from chris@stankevitz.com) Received: from stink.local (209-203-101-124.static.twtelecom.net [209.203.101.124]) by mango.stankevitz.com (Postfix) with ESMTPSA id 7FADC3CC6F for ; Wed, 12 Apr 2017 11:07:23 -0700 (PDT) To: freebsd-fs@freebsd.org From: Chris Stankevitz Subject: ZFS ACL Inheritance: umask and canonical ACEs Message-ID: <5aaf7f68-d099-c72a-c396-82b6597e7e01@stankevitz.com> Date: Wed, 12 Apr 2017 11:07:20 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2017 18:12:46 -0000 Hi, Questions (detail appears later): 1. Why wasn't my "inherited" ACE faithfully inherited? Namely, the so-called inherited ACE does not have "rwxp--aARWcCos". Clearly the way inheritance works is a function of the shell's umask (or in my real scenario -- Samba's umask). I would like for inherited ACEs to not be a function of umask. 2. How do I tell ZFS/ACL that I do not want owner@, group@, or everything@ ACEs created unless explicitly requested by setfacl? I do not want "extra" ACEs to appear on files I create within a particular directory -- even these "canonical" ACEs. 3. Bonus question: why does 'man setfacl' reference six canonical ACEs but there are only 3 (owner@, group@, everyone@)? Thank you, Chris PS: I am using aclmode=passthrough and aclinherit=passthrough ===== I have a directory with this ACL: # file . # owner: cstankevitz # group: cstankevitz group:cstankevitz:rwxp--aARWcCos:fd-----:allow Note that I have removed owner@, group@, and everyone@ ACEs. Also notice that the single ACE allows rwxp--aARWcCos access to cstankevitz and that it is supposed to be inherited. Inside this directory, I do this: umask 000 touch bar.txt getfacl bar.txt # file: bar.txt # owner: cstankevitz # group: cstankevitz group:cstankevitz:rw-p--a-R-c--s:------I:allow owner@:rw-p--aARWcCos:-------:allow group@:rw-p--a-R-c--s:-------:allow everyone@:rw-p--a-R-c--s:-------:allow umask 777 touch foo.txt getfacl foo.txt # file: foo.txt # owner: cstankevitz # group: cstankevitz group:cstankevitz:------a-R-c--s:------I:allow owner@:------aARWcCos:-------:allow group@:------a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow