6763 aclinherit=restricted masks inherited permissions by group perms…

… (groupmask)

Reviewed by: Gordon Ross <gwr@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Approved by: Richard Lowe <richlowe@richlowe.net>

usr/src/man/man1m/zfs.1m

@@ -25,10 +25,10 @@
 .\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
 .\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
 .\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
-.\" Copyright 2015 Nexenta Systems, Inc.  All Rights Reserved.
 .\" Copyright (c) 2014 Integros [integros.com]
+.\" Copyright 2016 Nexenta Systems, Inc.
 .\"
-.Dd June 8, 2015
+.Dd March 20, 2016
 .Dt ZFS 1M
 .Os
 .Sh NAME
@@ -786,31 +786,22 @@ dataset.
 .Sy aclinherit Ns = Ns Sy discard Ns | Ns Sy noallow Ns | Ns
 .Sy restricted Ns | Ns Sy passthrough Ns | Ns Sy passthrough-x
 .Xc
-Controls how
-.Sy ACE Ns s
-are inherited when files and directories are created.
+Controls how ACEs are inherited when files and directories are created.
 .Bl -tag -width "passthrough-x"
 .It Sy discard
-does not inherit any
-.Sy ACE Ns s .
+does not inherit any ACEs.
 .It Sy noallow
-only inherits inheritable
-.Sy ACE Ns s
-that specify
+only inherits inheritable ACEs that specify
 .Qq deny
 permissions.
 .It Sy restricted
 default, removes the
 .Sy write_acl
 and
 .Sy write_owner
-permissions when the
-.Sy ACE
-is inherited.
+permissions when the ACE is inherited.
 .It Sy passthrough
-inherits all inheritable
-.Sy ACE Ns s
-without any modifications.
+inherits all inheritable ACEs without any modifications.
 .It Sy passthrough-x
 same meaning as
 .Sy passthrough ,
@@ -819,69 +810,51 @@ except that the
 .Sy group@ ,
 and
 .Sy everyone@
-.Sy ACE Ns s
-inherit the execute permission only if the file creation mode also requests the
-execute bit.
+ACEs inherit the execute permission only if the file creation mode also requests
+the execute bit.
 .El
 .Pp
 When the property value is set to
 .Sy passthrough ,
-files are created with a mode determined by the inheritable
-.Sy ACE Ns s .
-If no inheritable
-.Sy ACE Ns s
-exist that affect the mode, then the mode is set in accordance to the requested
-mode from the application.
+files are created with a mode determined by the inheritable ACEs.
+If no inheritable ACEs exist that affect the mode, then the mode is set in
+accordance to the requested mode from the application.
 .It Xo
 .Sy aclmode Ns = Ns Sy discard Ns | Ns Sy groupmask Ns | Ns
 .Sy passthrough Ns | Ns Sy restricted
 .Xc
-Controls how an
-.Sy ACL
-is modified during
-.Xr chmod 2 .
+Controls how an ACL is modified during
+.Xr chmod 2
+and how inherited ACEs are modified by the file creation mode.
 .Bl -tag -width "passthrough"
 .It Sy discard
-default, deletes all
-.Sy ACE Ns s
-that do not represent the mode of the file.
+default, deletes all ACEs except for those representing the mode of the file or
+directory requested by
+.Xr chmod 2 .
 .It Sy groupmask
-reduces permissions granted in all
+reduces permissions granted by all
 .Sy ALLOW
-entries found in the
-.Sy ACL
-such that they are no greater than the group permissions specified by
-.Xr chmod 2 .
+entries found in the ACL such that they are no greater than the group
+permissions specified by the mode.
 .It Sy passthrough
-indicates that no changes are made to the
-.Sy ACL
-other than creating or updating the necessary
-.Sy ACE Ns s
-to represent the new mode of the file or directory.
+indicates that no changes are made to the ACL other than creating or updating
+the necessary ACEs to represent the new mode of the file or directory.
 .It Sy restricted
 causes the
 .Xr chmod 2
 operation to return an error when used on any file or directory which has a
-non-trivial
-.Sy ACE Ns s
-whose entries can not be represented by a mode.
+non-trivial ACL, with entries in addition to those that represent the mode.
 .El
 .Pp
 .Xr chmod 2
-is required to change the set user ID, set group ID, or sticky bits on a file or
-directory, as they do not have equivalent
-.Sy ACE Ns s.
-In order to use
+is required to change the set user ID, set group ID, or sticky bit on a file or
+directory, as they do not have equivalent ACEs. In order to use
 .Xr chmod 2
-on a file or directory with a non-trivial
-.Sy ACL
-when
+on a file or directory with a non-trivial ACL when
 .Sy aclmode
 is set to
 .Sy restricted ,
-you must first remove all
-.Sy ACE Ns s
-which do not represent the current mode.
+you must first remove all ACEs except for those that represent the current mode.
 .It Sy atime Ns = Ns Sy on Ns | Ns Sy off
 Controls whether the access time for files is updated when they are read.
 Turning this property off avoids producing write traffic when reading files and
@@ -3437,9 +3410,7 @@ mount point permission is set to 755 by default, user
 .Sy cindys
 will be unable to mount file systems under
 .Em tank/cindys .
-Add an
-.Sy ACE
-similar to the following syntax to provide mount point access:
+Add an ACE similar to the following syntax to provide mount point access:
 .Bd -literal
 # chmod A+user:cindys:add_subdirectory:allow /tank/cindys
 .Ed

usr/src/uts/common/fs/zfs/zfs_acl.c

@@ -1411,11 +1411,10 @@ zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t trim, zfs_acl_t *aclp)
 		} else {
 
 			/*
-			 * Limit permissions to be no greater than
-			 * group permissions.
-			 * The "aclinherit" and "aclmode" properties
-			 * affect policy for create and chmod(2),
-			 * respectively.
+			 * Limit permissions granted by ACEs to be no greater
+			 * than permissions of the requested group mode.
+			 * Applies when the "aclmode" property is set to
+			 * "groupmask".
 			 */
 			if ((type == ALLOW) && trim)
 				access_mask &= masks.group;
@@ -1729,7 +1728,7 @@ zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr,
 			acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ?
 			    ZFS_ACL_AUTO_INHERIT : 0;
 			zfs_acl_chmod(vap->va_type, acl_ids->z_mode,
-			    (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED),
+			    (zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK),
 			    acl_ids->z_aclp);
 		}
 	}