acl.5 (2010 09)
a
acl(5) acl(5)
chmod For conformance with IEEE Standard POSIX 1003.1-1988, chmod(2) deletes any optional entries
in a file’s ACL. Unfortunately, since chmod(2) is used to set file miscellaneous mode bits as well
as permission bits, extra effort is required in some cases to preserve a file’s ACL.
chown If the new owner and/or group of a file does not already have an optional (u.%, mode)and/or
(%.g, mode) entry in the file’s ACL, it inherits the old owner’s and/or group’s file access permis-
sion bits and base ACL entry:
(id1,mode1)->(id2,mode1)
This is the traditional behavior. However, if the new owner and/or group of a file already has an
optional (u.%, mode)and/or(%.g, mode) entry in the file’s ACL, the ACL does not change:
(id1, mode1)->(id1, mode1)
(id2, mode2)->(id2, mode2)
Existing access information in the ACL is preserved. However, because the old optional ACL
entry becomes the new base ACL entry and vice versa, the file’s access permission bits change.
Transferring ownership of ACLs by chown(2) allows a file to be transferred to a different user or
group, or copied by a different user or group than the owner (using cpacl (3C) or chownacl (3C)),
and later returned to the original owner or group without net changes to its ACL. The extra
complexity is necessary because:
• ACLs are a backward-compatible superset of permission bits (which are coupled to file
owner and group IDs), not a replacement for them.
• it enables users and programs that deal with ACLs to do so simply, rather than with a com-
bination of permission bits and ACL entries. Also, the access check algorithm is simpler
and more symmetrical; permission bits do not "eclipse" or "mask" ACL entries.
EXAMPLES
Operator Form
The following sets the
%.% entry to restrict "other" users to only reading the file.
chacl ’%.% = r’ myfile
The following allows user "bill" in any group to write the file, assuming that no restrictive entry is more
specific than the bill.% entry (for example, a bill.adm entry that denies writing).
chacl ’bill.% +w’ myfile
The following ACL specification contains two entries. The first one deletes write and adds read capability
to the entry for user 12, group 4. The second entry denies access for any unspecified user in any
unspecified group.
chacl ’12.4-w+r, %.% =’ myfile
The following pair of entries sets the u.% entry for the file’s owner to allow both read and execute and
results in adding write and execute capabilities for "other" users (the "%.%" entry). Note that a mode
character is purposely repeated for illustration purposes.
chacl ’@.% = 5, %.% + xwx’ myfile
Short Form
Here is a typical ACL as it might be printed. It allows user jpc to read or execute the file while in group
adm; it denies user ajs access to the file while in group trux; it allows user jpc in any group (except
adm) to only read the file; any other user in group bin may read or execute the file; and any other user
may only read the file.
(jpc.adm,r-x)(ajs.trux,---)(jpc.%,r--)(%.bin,r-x)(%.%,r--)
The following allows "other" users to only read the file.
chacl ’(%.%,r)’ myfile
The following sets write-only access for user bill in any group.
chacl ’(bill.%,-w-)’ myfile
The following sets the entry for user 12 in group 4 to allow read and write.
chacl ’(12.4,wr)’ myfile
6 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: September 2010