Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Managing Access to Files and Directories
Chapter 8760
user:boss:rwx
Similarly, additional group entries grant and deny access to specific
group IDs on your system. For example, an ACL with the following entry
would deny access to a user in the group spies:
group:spies:---
JFS ACL Class Entries
Class entries are distinct from owning group entries In a file with
a minimal ACL, the owning group and class ACL entries are identical.
However, in a file with additional entries, the owning group and class
ACL entries are distinct. The owning group entry grants permissions to
a specific group: the owning group. The class entry is more general; it
specifies the maximum permissions that can be granted by any of the
additional user and group entries.
If a particular permission is not granted in the class entry, it cannot be
granted by any ACL entries (except for the first user (owner) entry and
the other entry). Any permission can be denied to a particular user or
group. The class entry functions as an upper bound for file permissions.
When an ACL contains more than one group and/or user entry, the
collection of additional user and group entries are referred to as the
group class entries, since the effective permission granted by any of
these additional entries is limited by the class entry.
Effect of chmod on class entries When a file has a minimal ACL, the
owning group and class ACL entries are identical, and chmod affects
both of them. However, when a file contains additional, optional entries
in the ACL:
• the class ACL entry will no longer necessarily equal the owning
group ACL entry
• chmod affects the class ACL entry, not the owning group entry
• you must use setacl to change the owning group entry
Example of JFS ACL class entries To illustrate the function of the
JFS ACL class entry, we will show how chmod and setacl affect a file
with a minimal JFS ACL as well as a file with group class entries.