Not sure if using the middleware API solves my issue, but I doubt it.
So far the results of my testings are:
Proper handling of inheritance like on Windows or Synology seems not be possible with setfacl. You can only apply permissions recursively, which has the same effect for most use cases.
When changing permissions later again, make sure to apply them recursively again. Using the Windows permissions editor may be error prone, but this is no issue for me because I’m always using my script to apply permissions.
BTW: Synology uses a selfmade tool (synoacltool) to set inheritance and some patched chmod to apply permissions.
Another possibility to handle inheritance is using samba:
# enable inheritance on a single folder/file
smbcacls --user my/admin //localhost/share TEST/sub1 --inherit=allow
# set some permission and propagate them to subfolders that have inheritance enabled
smbcacls --user my/admin //localhost/share TEST --set='ACL:my\usergroup:ALLOWED/OI|CI/FULL' --propagate-inheritance
Yes, it can handle inheritance. Some basic inheritance is in CORE, and if you want full windows-style behavior (with evaluation of ACL auto-inheritance flags during recursive operations) you can use SCALE.
We support it natively via ZFS (the same way it’s supported on FreeBSD). Just load up a SCALE VM, create a dataset with NFSv4 ACL type and an SMB share pointing at it.