From f906bfd159c71ea043e936996ec3293b31526451 Mon Sep 17 00:00:00 2001 From: mm Date: Mon, 26 Nov 2012 12:24:39 +0000 Subject: MFV r243395: Introduce a new dataset aclmode setting "restricted" to protect ACL's being destroyed or corrupted by a drive-by chmod. illumos-gate 13889:a67716f16746 3254 add support in zfs for aclmode=restricted References: https://www.illumos.org/issues/3254 MFC after: 2 weeks --- cddl/contrib/opensolaris/cmd/zfs/zfs.8 | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'cddl') diff --git a/cddl/contrib/opensolaris/cmd/zfs/zfs.8 b/cddl/contrib/opensolaris/cmd/zfs/zfs.8 index 10e6ae3..a09aa77 100644 --- a/cddl/contrib/opensolaris/cmd/zfs/zfs.8 +++ b/cddl/contrib/opensolaris/cmd/zfs/zfs.8 @@ -760,7 +760,7 @@ If no inheritable .Tn ACE Ns s exist that affect the mode, then the mode is set in accordance to the requested mode from the application. -.It Sy aclmode Ns = Ns Cm discard | groupmask | passthrough +.It Sy aclmode Ns = Ns Cm discard | groupmask | passthrough | restricted Controls how an .Tn ACL is modified during @@ -790,6 +790,32 @@ indicates that no changes are made to the other than creating or updating the necessary .Tn ACL entries to represent the new mode of the file or directory. +An +.Sy aclmode +property of +.Cm restricted +will cause the +.Xr chmod 2 +operation to return an error when used on any file or directory which has +a non-trivial +.Tn ACL +whose entries can not be represented by a mode. +.Xr chmod 2 +is required to change the set user ID, set group ID, or sticky bits on a file +or directory, as they do not have equivalent +.Tn ACL +entries. +In order to use +.Xr chmod 2 +on a file or directory with a non-trivial +.Tn ACL +when +.Sy aclmode +is set to +.Cm restricted , +you must first remove all +.Tn ACL +entries which do not represent the current mode. .It Sy atime Ns = Ns Cm on | off Controls whether the access time for files is updated when they are read. Turning this property off avoids producing write traffic when reading files and -- cgit v1.1