Why doesn't chmod 7 set the delete flags in NFSv4?

I am trying to learn more about NFSv4 ACLs and their mapping to POSIX ACLs.

I was surprised to find that when I issue a chmod on a file with a 7 (e.g. chmod 755 or chmod 777) the resulting NFSv4 ACL does not have the Dd flags set.

This is confusing to me, because I am able to delete the file. Can you explain?

Bash:
root@artemis:~ # touch /testpool/blackhole/general/file.txt
root@artemis:~ # getfacl /testpool/blackhole/general/file.txt
# file: /testpool/blackhole/general/file.txt
# owner: root
# group: wheel
            owner@:rw-p--aARWcCos:-------:allow
            group@:r-----a-R-c--s:-------:allow
         everyone@:r-----a-R-c--s:-------:allow
root@artemis:~ # chmod 644 /testpool/blackhole/general/file.txt
root@artemis:~ # getfacl /testpool/blackhole/general/file.txt
# file: /testpool/blackhole/general/file.txt
# owner: root
# group: wheel
            owner@:rw-p--aARWcCos:-------:allow
            group@:r-----a-R-c--s:-------:allow
         everyone@:r-----a-R-c--s:-------:allow
root@artemis:~ # chmod 755 /testpool/blackhole/general/file.txt
root@artemis:~ # getfacl /testpool/blackhole/general/file.txt
# file: /testpool/blackhole/general/file.txt
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
root@artemis:~ # chmod 777 /testpool/blackhole/general/file.txt
root@artemis:~ # getfacl /testpool/blackhole/general/file.txt
# file: /testpool/blackhole/general/file.txt
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow
 
I am trying to learn more about NFSv4 ACLs and their mapping to POSIX ACLs.
I was surprised to find that when I issue a chmod on a file with a 7 (e.g. chmod 755 or chmod 777) the resulting NFSv4 ACL does not have the Dd flags set.
What? Why? chmod(1) uses the chmod(2) system call. This system call can only convey changes in the (traditional) UNIX file mode, which may have an impact on ACEs depending on the aclmode zfsprops(7). To (create and) modify the ACL you must use setfacl(1).​
This is confusing to me, because I am able to delete the file. Can you explain?
Well, root may delete everything, so this shouldn’t surprise. ;)
Bash:
% touch /tmp/foo
% chmod u=rw,go= /tmp/foo
% setfacl -M - /tmp/foo << 'EOT'
# permit stat(2) and unlink(2)
everyone@:read_attributes/delete::allow
EOT
% su some_unprivileged_user -c 'rm /tmp/foo'
 
Back
Top