ACL inheritance
The inheritance flags in ACL entry of parent directories are used to control the inheritance of authorization to the child files and directories. The inheritance flag gives you the granularity to specify whether the inheritance defined in an ACL entry applies to the current directory and its children or only to the subdirectories and files that are contained in the parent directory. ACL entries are inherited to the child directories or files at the time of creation. Changes made to the ACL of a parent directory are not propagated to child directories or files. However, in case of SMB, you can specify to propagate the inheritance changes from a parent to all its child by using File Explorer, command line, or PowerShell.
Controlling inheritance of entries inside an ACL
The
NFSV4 protocol uses the following flags to specify and control inheritance
information of the ACEs:
- FileInherit: Indicates that this ACE must be added to each new non-directory file created. This flag is signified by ‘f’ or file_inherit.
- DirInherit: Indicates that this ACE must be added to each new directory created. This flag is signified by ‘d’ or dir_inherit.
- InheritOnly: Indicates that this ACE is not applied to the parent directory itself, but only inherited by its children. This flag is signified by ‘i’ or inherit_only.
- NoPropagateInherit: Indicates that the ACL entry must be included in the initial ACL for subdirectories that are created in this directory but not further propagated to subdirectories created below that level.
In case of SMB, the following list shows how the inheritance
flags are linked to the Microsoft Windows inheritance modes:
- This folder only (No bits)
- This folder, subfolder, and files (FileInherit, DirInherit)
- This folder and subfolders (DirInherit)
- This folder and files (FileInherit)
- Subfolders and files only (FileInherit, DirInherit, InheritOnly)
- Subfolders only (DirInherit, InheritOnly)
- Files only (FileInherit, InheritOnly)