aclinherit 和 aclmode 有什么区别？

Question

ZFS 文件系统可以在其上设置aclinherit和aclmode属性，以控制可继承的 ACL 条目如何与对象创建和 Unix 风格的权限操作交互。

不幸的是，官方文档对于这两个属性在计算 ACL 中的作用方面究竟有什么区别有点含糊不清/含糊不清。为了说明这一点，请从在 Oracle® Solaris 11.3 中保护文件和验证文件完整性中摘录，重点是我的：

aclinherit– 确定ACL 继承的行为...

和：

aclmode–在最初创建文件时修改 ACL 行为或控制在chmod操作期间修改 ACL 的方式...

这真的很令人困惑，因为在最初创建文件时会发生或不发生ACL 继承！

至于chmod，上面的语言和一些例子表明它的行为是由 控制的aclmode，但第 45 页上还有一个例子表明它是由 控制的aclinherit。

我有一种感觉，这也因用于创建文件的 API 中的变量而变得复杂。（我熟悉 Windows API，但不熟悉 *nix API。）

我觉得即使在阅读了文档后，我对这些属性的工作原理也有相当不完整的了解。

两者之间究竟有什么区别？它们似乎有一些重叠，那么是什么决定了应用哪个呢？如果他们有矛盾怎么办？

Answer 1

来自 openzfs 手册https://github.com/openzfs/openzfs.git

克隆存储库，以及man openzfs/usr/src/man/man1m/zfs.1m

 aclinherit=discard|noallow|restricted|passthrough|passthrough-x
   Controls how ACEs are inherited when files and directories are created.

   discard        does not inherit any ACEs.
   noallow        only inherits inheritable ACEs that specify "deny" permissions.
   restricted     default, removes the write_acl and write_owner permissions 
                  when the ACE is inherited.
   passthrough    inherits all inheritable ACEs without any modifications.
   passthrough-x  same meaning as passthrough, except that the owner@, group@, and 
                  everyone@ ACEs inherit the execute permission only if the file 
                  creation mode also requests the execute bit.

   When the property value is set to passthrough, files are created with a mode 
   determined by the inheritable ACEs.  If no inheritable ACEs exist that affect 
   the mode, then the mode is set in accordance to the requested mode from the 
   application.


 aclmode=discard|groupmask|passthrough|restricted
   Controls how an ACL is modified during chmod(2) and how inherited ACEs are 
   modified by the file creation mode.

   discard      default, deletes all ACEs except for those representing the mode 
                of the file or directory requested by chmod(2).
   groupmask    reduces permissions granted by all ALLOW entries found in the ACL 
                such that they are no greater than the group permissions specified 
                by the mode.
   passthrough  indicates that no changes are made to the ACL other than creating 
                or updating the necessary ACEs to represent the new mode of the 
                file or directory.
   restricted   causes the chmod(2) operation to return an error when used on any 
                file or directory which has a non-trivial ACL, with entries in 
                addition to those that represent the mode.

   chmod(2) is required to change the set user ID, set group ID, or sticky bit on 
   a file or directory, as they do not have equivalent ACEs.  In order to use 
   chmod(2) on a file or directory with a non-trivial ACL when aclmode is set to 
   restricted, you must first remove all ACEs except for those that represent the 
   current mode.