First of all im no expert in this but i have got them working to my satisfaction (and securely) on my FreeNAS 9.1.1 server.
Out of interest are you trying to use ACLs on a UFS or ZFS volume?
Reason I ask is that I believe NFSv4 inherritance doesn't work as you might expect on UFS. I tried it, failed and then found sources online that state this is the case (such as
https://wiki.freebsd.org/NFSv4_ACLs right at the bottom). On ZFS i have found things to work fine, to give some usefull examples for the commands provided by Dusan:
Code:
find /mnt/ZFS1/test/ -type d -exec setfacl -m u:John:modify_set:fd:allow {} \;
Would recursively set modify permissions for user "John" on the
folder /mnt/ZFS1/test/ and all sub
folders, this also specifies file and folder inheritance for these permissions (this will only affect files/folders moved into or created in these folders from this point forward)
Code:
find /mnt/ZFS1/test/ -type f -exec setfacl -m u:John:modify_set:allow {} \;
Does the same as above but recursively for files in /mnt/ZFS1/test/ (obviously no inheritance settings are required)
Change u: to g: for groups, -m to -x to remove ACL entries instead of create/modify.
You can set individual permissions using the letter codes (see below), however these commonly required ones are also available:
- full_set all permissions
- modify_set all permissions except write_acl and write_owner
- read_set read_data, read_attributes, read_xattr and read_acl
- write_set write_data, append_data, write_attributes and write_xattr
Code:
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
||||||||||||||:|||||||
(r)read data +|||||||||||||:||||||+ (I)nherited
(w)rite data -+||||||||||||:|||||+- (F)ailed access (audit)
e(x)ecute --+|||||||||||:||||+-- (S)uccess access (audit)
a(p)pend ---+||||||||||:|||+--- (n)o propagate
(d)elete ----+|||||||||:||+---- (i)nherit only
(D)elete child -----+||||||||:|+----- (d)irectory inherit
read (a)ttrib ------+|||||||:+------ (f)ile inherit
write (A)ttrib -------+||||||
(R)ead xattr --------+|||||
(W)rite xattr ---------+||||
read a(c)l ----------+|||
write a(C)l -----------+||
change (o)wner ------------+|
sync -------------+
That should cover the basics, any questions please ask :)