ACL on TrueNAS
Posted on March 29, 2022 • 3 minutes • 590 words • Suggest Changes
ACL is not something I’m really familiar with, so these are just raw notes on how I deal with it in TrueNAS. Some more context might follow 😆
check permissions with
set them (chmod/chown) : (the order seems to be important)
setfacl -m group@:rwxpdDaARWcs:fd:allow support setfacl -m group@:dD::deny support
setfacl -m level:permissions:inhertance:allow|deny dir/file
- owner@ : owner of the dir/file
- group@ : group that owns the dir/file
- everyone@ : others ?
- owner : a specific user other than the owner of the file/dir
- group : a specific group other than the owner of the file/dir
- everyone : ?
Permission letters :
r read_data w write_data x execute p append_data d delete_child D delete a read_attributes A write_attributes R read_xattr W write_xattr c read_acl C write_acl o write_owner S synchronize
add_file w Permission to add a new file to a directory. add_subdirectory p On a directory, permission to create a subdirectory. delete d Permission to delete a file. delete_child D Permission to delete a file or directory within a directory. execute x Permission to execute a file or search the contents of a directory. list_directory r Permission to list the contents of a directory. read_acl c Permission to read the ACL (ls). read_attributes a Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2). read_data r Permission to read the contents of the file. read_xattr R Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. write_xattr W Permission to create extended attributes or write to the extended attributes directory. Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. write_data w Permission to modify or replace the contents of a file. write_attributes A Permission to change the times associated with a file or directory to an arbitrary value. write_acl C Permission to write the ACL or the ability to modify the ACL by using the chmod command. write_owner o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.
f file_inherit : Only inherit the ACL from the parent directory to the directory's files. d dir_inherit : Only inherit the ACL from the parent directory to the directory's subdirectories. i inherit_only : Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit. n no_propagate : Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.
special cases :
S successful_access : Indicates whether an alarm or audit record should be initiated upon a successful access. This flag is used with audit or alarm ACE types. F failed_access : Indicates whether an alarm or audit record should be initiated when an access fails. This flag is used with audit or alarm ACE types. I inherited : Indicates that an ACE was inherited.
# allow svennd full control on budget (no inherit), :: resolves into :----: setfacl -m u:svennd:rwxpDdaARWcCos::allow Budget
Image by rojekilian