How to set default (not inherit) acl permissions on file creation

aclfreebsdfreenaspermissions

This is with a freenas box (FreeNAS-9.3-STABLE-201506292130).

In debian-based linux generally there is a default permissions of 644/755 for files/directories (now 664/775?). As I understand it, this happens because the umask is set to 022 or 002 which governs the default permissions for the creation of new files. However in freenas (windows acl style permissions) default file creation simply inherits the permissions of the containing directory. I see from the setfacl man page

setfacl(1) man page

that there is an inheritance flag. However, I am looking more for a default rather than inheritance.
Is there a way to change this to have the creation behavior be closer to what is done in debian-based systems? That is, I want files to be 644 and directories 755. I DO NOT want newly created files to just pick up 755 permissions because the directory as these as permissions.

I have been racking my brain trying to get something to work. I currently am using NFSv4 ACLs and I get a 'branding mismatch' error when I try and use POSIX ACLs, so I've been sticking to using what I can with windows-style, freenas, freebsd, NFSv4, setfacl/getfacl commands, and I haven't been able to get the above behavior from anything I try.

$ mkdir test
$ cd test
$ ls -lat
drwxr-xr-x+  2 user  user   2 Aug  1 12:40 . 
drwxr-xr-x+ 67 user  user  67 Aug  1 12:40 ..
$ touch testfile
$ ls -lat
drwxr-xr-x+  2 user  user   3 Aug  1 12:40 .
-rwxr-xr-x+  1 user  user   0 Aug  1 12:40 testfile
drwxr-xr-x+ 67 user  user  67 Aug  1 12:40 ..
# file: .
# owner: user
# group: user
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:r-x---a-R-c--s:fd----:allow
         everyone@:r-x---a-R-c--s:fd----:allow
$ getfacl testfile
# file: testfile
# owner: user
# group: user
            owner@:rwxpDdaARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow

Best Answer

There is no "default ACL" in NFSv4 ACLs. However, you have a precise control over what is inherited and by what. In particular, you can add ACEs to be inherited by files, and another set that can be inherited by directories. Like this - the first three will apply to directories, the following three - to files. Note that directories will inherit both, but the "file" entries will have the "i" (inherit_only) flag set, so they won't apply to the directory itself - they are there only to be inherited by files in the directories. So, this is the ACL on the parent directory:

        owner@:rwxp----------:-di----:allow
        group@:r-x-----------:-di----:allow
     everyone@:r-x-----------:-di----:allow
        owner@:rw-p----------:f-i----:allow
        group@:r-------------:f-i----:allow
     everyone@:r-------------:f-i----:allow
        owner@:rwxp--aARWcCos:-------:allow
        group@:r-x---a-R-c--s:-------:allow
     everyone@:r-x---a-R-c--s:-------:allow

This is what will be inherited by files (the 'I' flag means the entry was inherited; it didn't exist before FreeBSD 11-CURRENT):

        owner@:rw-p----------:------I:allow
        group@:r-------------:------I:allow
     everyone@:r-------------:------I:allow

This is what will be inherited by directories (the 'i' flag means 'inherit_only' - the ACE is there, but it doesn't affect the actual access permissions for it; it's only to be inherited down):

        owner@:rwxp----------:-d----I:allow
        group@:r-x-----------:-d----I:allow
     everyone@:r-x-----------:-d----I:allow
        owner@:rw-p----------:f-i---I:allow
        group@:r-------------:f-i---I:allow
     everyone@:r-------------:f-i---I:allow
Related Question