acl.5 (2010 09)
a
acl(5) acl(5)
Access Control List Entries
An access control list (ACL) consists of sets of (user.group, mode) entries associated with a file that specify
permissions. Each entry specifies for one user-ID/group-ID combination a set of access permissions,
including read, write, and execute/search.
To help understand the relationship between access control lists and traditional file permissions, consider
the following file and its permissions:
-rwxr-xr-- james admin datafile
The file owner is user james.
The file’s group is
admin.
The name of the file is
datafile
.
The file owner permissions are
rwx.
The file group permissions are r-x
.
The file other permissions are
r--
.
In an ACL, user and group IDs can be represented by names or numbers, found in
/etc/passwd. The
following special symbols can also be used:
% Symbol representing no specific user or group.
@ Symbol representing the current file owner or group.
Base ACL Entries
When a file is created, three base access control list entries are mapped from the file’s access permission
bits to match a file’s owner and group and its traditional permission bits. Base ACL entries can be
changed by the chmod(2) and setacl (2) system calls.
(uid.%,mode) Base ACL entry for the file’s owner
(%.gid,mode) Base ACL entry for the file’s group
(%.%,mode) Base entry for other users
(Except where noted, examples are represented in short form notation. See ACL Notation , below.)
Optional ACL entries
Optional access control list entries contain additional access control information, which the user can set
with the setacl (2) system call to further allow or deny file access. Up to thirteen additional user/group
combinations can be specified.
For example, the following optional access control list entries can be associated with our file:
(mary.admin, rwx) Grant read, write, and execute access to user mary in group admin.
(george.%, ---) Deny any access to user george in no specific group.
ACL Notation
Supported library calls and commands that manage ACLs recognize three different symbolic representa-
tions:
operator form For input of entire ACLs and modifications to existing ACLs, in a syntax similar to that
used by chmod(1).
short form Easier to read, intended primarily for output. chacl (1) accepts this form as input so that
it can interpret output from lsacl (1).
long form A multi-line format useful for greater clarity, and supported only for output.
For our example file, the base ACL entries could be represented in the three notations as follows:
operator form james.% = rwx, %.admin = rx, %.% = r
short form (james.%,rwx) (%.admin,r-x) (%.%,r--)
long form rwx james.%
r-x %.admin
r-- %.%
In addition to basic ACL usage, some library calls and commands understand and use a variation of
operator and short forms. See the section below on ACL Patterns.
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010