Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

761

762

763

764

765

766

767

768

769

770

Administering a System: Managing System Security

Managing Access to Files and Directories

Chapter 8762

ACL entries are unaffected. However, when we grant read-execute

permissions to the group dev, the upper bound on permissions (the

class entry) is extended to include execute permission.

Example 8-6 getacl Output for exﬁle, Showing Effect of setacl

$ setacl -m u:guest:r-- exfile

$ setacl -m g:dev:r-x exfile

$ getacl exfile

# file: exfile

# owner: jsmith

# group: users

user::rw-

user:guest:r--

group::rw-

group:dev:r-x

class:rwx

other:rw-

Now if we use chmod to remove write and execute permission from

“group”, we actually reduce the class permissions to read-only. The

owning group permissions, while unchanged, are effectively reduced to

read-only as well.

Example 8-7 getacl Output for exﬁle, Showing Effect of chmod on Class

Permissions

$ chmod g-wx exfile

$ getacl exfile

# file: exfile

# owner: jsmith

# group: users

user::rw-

user:guest:r--

group::rw- # effective:r--

group:dev:r-x # effective:r--

class:r--

other:rw-

Note that the other permissions are unchanged. The class entry does

not limit the access that can be granted by the ﬁrst user (owner) entry or

the other entry.

Now ls -l will list the permissions of exfile as follows. The + at the

end of the permissions string indicates that there is an ACL for the ﬁle.