DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Understanding file protection

Additional ACL entries

If you want to specifically grant and/or deny access to specific users and/or groups on the system, you can add more user and group entries to the four minimal entries described in the previous section.

Additional user entries grant and deny access to specific user IDs on your system. For example, the following entry in the ACL of a file grants read, write, and execute access to a user logged in as archer:

   user:archer:rwx
Similarly, additional group entries grant and deny access to specific group IDs on your system. For example, an ACL with the following entry would deny access to a user in the group spies:
   group:spies:---

Class entries

In an ACL that contains more than one group entry and/or more than one user entry, the class entry specifies the maximum permissions that can be granted by any of the additional user and group entries. If a particular permission is not granted in the class entry, it cannot be granted by any ACL entries (except for the first user (owner) entry and the other entry). Any permission can be denied to a particular user or group. The class entry functions as an upper bound for file permissions.

When an ACL contains more than one group and/or user entry, the collection of additional user and group entries are referred to as the group class entries, since the effective permission granted by any of these additional entries is limited by the class entry.

If there are additional entries in the ACL, the class ACL entry will no longer necessarily equal the value of the permissions for the owning group reported by ls -l. This feature is useful, because it means that the chmod command can usefully affect the permissions of a file that has additional ACL entries.

For example, by changing the permission bits of a file to

   rwx------
the class entry in the ACL is set to
   class:---
This means that any additional group entries in the ACL cannot grant any access to the file. If the permission bits were set to
   rwxr-----
the class ACL entry would be
   class:r--
Any group entries would be able to grant read access, but not write or execute access.

The class entry does not limit the access that can be granted by the first user (owner) entry or the other entry.

Default access control lists

Often, you will want all the files created in a directory to have certain ACL entries. For example, you might want to allow another person to write to any file in a directory of yours where the two of you are working on something together.

You can put an ACL entry granting the desired access on every file in the directory, but every time you create a new file you will have to add that entry again. Using default ACL entries, you can get the system to do this for you automatically every time a file is created.

A default ACL entry looks like this:

   default:user:archer:rw-
It can be placed only on a directory, never on an ordinary file. It never has any influence on what access is granted to a user for the directory it is placed on. All it does is cause the specified entry to be included in the ACL of any file created in the directory.

If the newly created file is a directory, the default ACL entries have two affects. First, the corresponding non-default ACL entries are created, so that the desired permissions are granted and denied for the directory, just as for any file created in the directory. Second, the default entries themselves are copied, so that new sub-directory has the same default ACL as the parent directory.

For example, if you want any files created in the directory poentkarto to be readable by certain users, you could create the appropriate default entries as shown in ``An ACL with default entries''.

$ getacl poentkarto
# file: poentkarto
# owner: fletcher
# group: tourney
user::rw-
user:archer:rw-
user:bowman:rw-
user:hunter:---
group::rw-
group:judges:rw-
class:rw-
other:---
default:user:archer:r--
default:user:bowman:r--
default:group:judges:r--

An ACL with default entries

With these entries in place, any new file created in the directory poentkarto would have an ACL like that shown in ``Effect of default entries on a file''.

# file: poentaro1
# owner: fletcher
# group: tourney
user::rw-
user:archer:r--
user:bowman:r--
group::rw-
group:judges:r--
class:rw-
other:---

Effect of default entries on a file

If the newly created file is a directory, the same ACL entries are generated, but in addition the default entries themselves are also placed in the ACL, as shown in ``Effect of default entries on a directory''.

# file: subpoento
# owner: fletcher
# group: tourney
user::rw-
user:archer:r--
user:bowman:r--
group::rw-
group:judges:r--
class:rw-
other:---
default:user:archer:r--
default:user:bowman:r--
default:group:judges:r--

Effect of default entries on a directory


© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004