Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Managing Access to Files and Directories
Chapter 8 755
Example 8-1 Creating an HFS ACL
Suppose you use the chmod command to allow only yourself write
permission to myfile. (This also deletes any previous HFS ACLs.)
$ chmod 644 myfile
$ ll myfile
-rw-r--r-- 1 allan users 0 Sep 21 16:56 myfile
$ lsacl myfile
(allan.%,rw-)(%.users,r--)(%.%,r--) myfile
The lsacl command displays just the default (no ACL) values,
corresponding to the basic owner, group, and other permissions.
Now you use chacl to allow your manager to have read and write access
to the file.
$ chacl 'naomi.users=rw' myfile
$ ll myfile
-rw-r--r--+ 1 allan users 0 Sep 21 16:56 myfile
$ lsacl myfile
(naomi.users,rw-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile
Notice two things: the ll permissions display has a + appended,
indicating that ACLs exist and the ll permissions string did not change.
The additional entry in the lsacl display specifies that user naomi in
group users has read and write access to myfile.
Example 8-2 Multiple HFS ACL Matches
If a user’s
user
.
group
combination matches more than one ACL entry,
the most specific entry takes precedence. Using file myfile,
$ chmod 644 myfile
add a write-only entry for user naomi.
$ chacl naomi.%=w myfile
$ lsacl myfile
(naomi.%,-w-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile
Now, user naomi has write access to file myfile, using the ACL defined
for naomi.%, but does not have read access to the file because naomi.%
takes precedence over the ACLs defined for %.users and %.%.
lsacl displays the HFS ACLs in decreasing order of specificity. That is,
permission matches are attempted from left to right.