Feature #742


Resurrect the ZFS "aclmode" property

Added by Gordon Ross over 13 years ago. Updated about 6 years ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:
External Bug:


Executive Summary:

The case (PSARC/2010/029 - Improved ACL interoperability)
simplified ACL handling in ZFS, but at the same time removed
the "aclmode" property. That removal has proven to be very
inconvenient in the field. This proposal resurrects the
"aclmode" property, with some changes to better fit within
the post-PSARC/2010/029 design.


There have been numerous customers complaints like:

- What happened to aclmode? I want aclmode=passthrough
- I don't want NFS setattr from Linux to replace my ACLs.
- I don't want chmod to destroy my ACLs

They have a point. PSARC/2010/029 removed control over
what setattr does with ACLs, leaving some customers with
no convenient way to make data remain accessible from both
NFS and CIFS clients.

There is an extensive discussion of this on zfs-discuss:
(and other threads - search for "aclmode")


This proposal reinstates handling of an "aclmode" property,
but with a different default and updated semantics, to
better integrate with post-PSARC/2010/029 handling of ACLs.

The settings for "aclmode" are the same as they were before
the property was removed, but the semantics of "groupmask"
are now as described in PSARC/2010/029, so "groupmask" will
no longer do ACE splitting.

The default value for "aclmode" was originally "groupmask".
Many find that convenient; some argue it's a security flaw.[1]
The reinstated "aclmode" will have "discard" as its default,
which continues current system behavior. (least surprise)

[1] In the thread "zfs proerty aclmode gone in 147?"
some argue that if "chmod 700" does anything other than
replace the ACL with a trivial one, it's a security bug.
For those people, aclmode=discard is the right setting.
Others take a different view, and want NFS setattr to
avoid destroying their carefully constructed ACLs.
We should provide mechanism, not policy here.

Man Page diffs

aclmode=discard | groupmask | passthrough

+Controls how an ACL is modified during chmod(2). A file system with
+an aclmode property of discard (the default) deletes all ACL entries
+that do not represent the mode of the file. An aclmode property of
+groupmask reduces permissions granted in all "allow" entries found in
+the ACL. The permissions are reduced such that they are no greater
+than the given group permission bits. A file system with an aclmode
+property of passthrough indicates that no changes are made to the ACL
+other than creating or updating the necessary ACL entries to represent
+the new mode of the file or directory.

[ The above "ACE trimming" described for "groupmask" is exactly what
the current ZFS code does when the aclinherit property is set to
"restricted". That ACE trimming logic will remain unchanged.
This proposal just makes that ACE trimming optional. ]

Related issues

Related to illumos gate - Bug #279: Bug in the new ACL (post-PSARC/2010/029) semanticsResolvedAlbert Lee2010-09-29

Related to illumos gate - Bug #664: Umask masking "deny" ACL entries.ResolvedAlbert Lee2011-01-26

Related to illumos gate - Bug #807: Trivial ACEs missing deleteClosed2011-03-12

Actions #1

Updated by Gordon Ross about 13 years ago

  • Status changed from New to Resolved
  • Difficulty set to Medium
  • Tags set to needs-triage

changeset: 13370:8c04143bd318
tag: tip
user: Albert Lee <>
date: Sat May 14 00:29:13 2011 -0400
742 Resurrect the ZFS "aclmode" property
664 Umask masking "deny" ACL entries.
279 Bug in the new ACL (post-PSARC/2010/029) semantics
Reviewed by: Aram Hăvărneanu <>
Reviewed by: Gordon Ross <>
Reviewed by: Robert Gordon <>
Reviewed by:
Approved by: Garrett D'Amore <>


Also available in: Atom PDF