Avoiding everyone reading non-trivial ACLs.
bob@box-01:~/dir1 $ mkdir subdir2
bob@box-01:~/dir1 $ touch subdir2/file1
bob@box-01:~/dir1 $ touch subdir2/file2
bob@box-01:~/dir1 $ ll -dV subdir2
drwxr-xr-x 2 bob staff 2 Jun 20 11:03 subdir2
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
webservd@box-01:/home/bob/dir1 $ ll -dV subdir2
drwxr-xr-x 2 bob staff 2 Jun 20 11:03 subdir2
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
bob@box-01:~/dir1 $ chmod A2=everyone@:rxaRs:allow subdir2
bob@box-01:~/dir1 $ ll -dV subdir2
drwxr-xr-x 2 bob staff 2 Jun 20 11:03 subdir2
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R----s:-------:allow
webservd@box-01:/home/bob/dir1 $ ll subdir2
ls: can't read ACL on subdir2: Permission denied
total 2
-rw-r--r-- 1 bob staff 0 Jun 20 12:34 file1
-rw-r--r-- 1 bob staff 0 Jun 20 12:34 file2
But it's not yet OK because I expected it to "propagate" throughout subdirectories.
This didn't happen:
webservd@box-01:/home/bob/dir1 $ ll -dV subdir2/file1
-rw-r--r-- 1 bob staff 0 Jun 20 12:34 subdir2/file1
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
Trying to address the above problem I've reached another hurdle: ACL inheritance.
That's not so straightforward: the ZFS aclinherit file-system property comes into play.
The default of aclinherit setting which is restricted, isn't suitable for the case.
owner@, group@ and/or everyone@ are discarded and recomputed from umask.
Thus, the solution seems to be passthrough or passthrough-x.
I'm still not sure if one of them would be preferable over the other.
bob@box-01:~/dir1 $ zfs get aclinherit rpool/export/home/bob
NAME PROPERTY VALUE SOURCE
rpool/export/home/bob aclinherit passthrough local
bob@box-01:~/dir1 $ mkdir subdir4
bob@box-01:~/dir1 $ ll -dV subdir4
drwxr-xr-x 2 bob staff 2 Jun 20 14:36 subdir4
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
bob@box-01:~/dir1 $ chmod A+user:webservd:rxaR:fd:allow subdir4
bob@box-01:~/dir1 $ chmod A1=owner@:rwxpDaARWcCos:fd:allow subdir4
bob@box-01:~/dir1 $ chmod A2=group@:rxaRcs:fd:allow subdir4
bob@box-01:~/dir1 $ chmod A3=everyone@:c:fd:deny subdir4
bob@box-01:~/dir1 $ ll -dV subdir4
drwxr-x---+ 2 bob staff 3 Jun 20 15:08 subdir4
user:webservd:r-x---a-R-----:fd-----:allow
owner@:rwxp-DaARWcCos:fd-----:allow
group@:r-x---a-R-c--s:fd-----:allow
everyone@:----------c--s:fd-----:deny
bob@box-01:~/dir1 $ touch subdir4/file42
bob@box-01:~/dir1 $ ll -dV subdir4/file42
-rwxr-x---+ 1 bob staff 0 Jun 20 15:44 subdir4/file42
user:webservd:r-x---a-R-----:------I:allow
owner@:rwxp-DaARWcCos:------I:allow
group@:r-x---a-R-c--s:------I:allow
everyone@:----------c--s:------I:deny
webservd@box-01:/home/bob/dir1 $ ll -dV subdir4
ls: can't read ACL on subdir4: Permission denied
drwxr-x--- 2 bob staff 4 Jun 20 15:44 subdir4
webservd@box-01:/home/bob/dir1 $ ll -dV subdir4/file42
ls: can't read ACL on subdir4/file42: Permission denied
-rwxr-x--- 1 bob staff 0 Jun 20 15:44 subdir4/file42
