The difference between aclinherit and aclmode

file-permissionssolariszfs

ZFS filesystems can have the aclinherit and aclmode properties set on them to control how inheritable ACL entries interact with object creation and Unix-style permissions operations.

Unfortunately, the official documentation is a bit cryptic/ambiguous as to exactly what the difference is between these two properties in terms of their role in computing ACLs. To illustrate, take these excerpts from Securing Files and Verifying File Integrity
in Oracle® Solaris 11.3, emphasis mine:

aclinherit – Determine the behavior of ACL inheritance

and:

aclmode – Modifies ACL behavior when a file is initially created or controls how an ACL is modified during a chmod operation…

This is really confusing, because ACL inheritance is going to occur or not occur when a file is initially created!

As for chmod, the above language and some of the examples suggest that its behaviour is governed by aclmode, but there is also an example on p.45 that shows it being governed by aclinherit.

I have a feeling this is also complicated by variables in the APIs used to create files. (I am familiar with the Windows APIs but not *nix ones.)

I feel like even after reading through the documentation I have a rather incomplete picture of how these properties work.

What exactly is the difference between the two? They seem to have some overlap, so what governs which is applied? What if they contradict?

Best Answer

From the openzfs manual https://github.com/openzfs/openzfs.git

Clone repo, and man openzfs/usr/src/man/man1m/zfs.1m

 aclinherit=discard|noallow|restricted|passthrough|passthrough-x
   Controls how ACEs are inherited when files and directories are created.

   discard        does not inherit any ACEs.
   noallow        only inherits inheritable ACEs that specify "deny" permissions.
   restricted     default, removes the write_acl and write_owner permissions 
                  when the ACE is inherited.
   passthrough    inherits all inheritable ACEs without any modifications.
   passthrough-x  same meaning as passthrough, except that the owner@, group@, and 
                  everyone@ ACEs inherit the execute permission only if the file 
                  creation mode also requests the execute bit.

   When the property value is set to passthrough, files are created with a mode 
   determined by the inheritable ACEs.  If no inheritable ACEs exist that affect 
   the mode, then the mode is set in accordance to the requested mode from the 
   application.


 aclmode=discard|groupmask|passthrough|restricted
   Controls how an ACL is modified during chmod(2) and how inherited ACEs are 
   modified by the file creation mode.

   discard      default, deletes all ACEs except for those representing the mode 
                of the file or directory requested by chmod(2).
   groupmask    reduces permissions granted by all ALLOW entries found in the ACL 
                such that they are no greater than the group permissions specified 
                by the mode.
   passthrough  indicates that no changes are made to the ACL other than creating 
                or updating the necessary ACEs to represent the new mode of the 
                file or directory.
   restricted   causes the chmod(2) operation to return an error when used on any 
                file or directory which has a non-trivial ACL, with entries in 
                addition to those that represent the mode.

   chmod(2) is required to change the set user ID, set group ID, or sticky bit on 
   a file or directory, as they do not have equivalent ACEs.  In order to use 
   chmod(2) on a file or directory with a non-trivial ACL when aclmode is set to 
   restricted, you must first remove all ACEs except for those that represent the 
   current mode.
Related Topic