aclv.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

aclv(5) aclv(5)

Access Control List Entries

An access control list (ACL) consists of a set of one-line entries associated with a ﬁle that specify permis-

sions. Each entry speciﬁes for one user-ID or group-ID a set of access permissions, including read, write,

and execute/search.

To help understand the relationship between access control lists and traditional ﬁle permissions, consider

the following ﬁle and its permissions:

-rwxr-xr-- james admin datafile

The ﬁle owner is user james.

The ﬁle’s group is admin.

The name of the ﬁle is dataﬁle.

The ﬁle owner permissions are rwx.

The ﬁle group permissions are r-x.

The ﬁle other permissions are r--.

In an ACL, user and group IDs can be represented by names or numbers, found in

/etc/passwd.

ACL Notation

Supported commands that manage JFS ACLs recognize the following symbolic representation:

[

d[efault]:]u[ser]:[uid]:perm

[

d[efault]:]g[roup]:[gid]:perm

[

d[efault]:]c[lass]:perm

[

d[efault]:]o[ther]:perm

An ACL entry preﬁxed with

d: or default:, can occur only in a directory’s ACL, and it indicates that

the remainder of the entry is not to be used in determining the access rights to the directory, but is

instead to be applied to any ﬁles or subdirectories created in the directory (see ACL Inheritance, below).

The uid and gid ﬁelds contain either numeric user or group IDs, or their corresponding character strings

from

/etc/passwd or /etc/group. The perm ﬁeld indicates access permission either in symbolic

form, as a combination of r, w, x and -, or in numeric form, as an octal value of 0 through 7 representing

the sum of 4 for read permission, 2 for write permission and 1 for execute permission.

Base ACL Entries

When a ﬁle is created, four base access control list entries are mapped from the ﬁle’s access permission

bits to match a ﬁle’s owner and group and its traditional permission bits. This is known as a "minimal

ACL". Base ACL entries can be changed by the chmod(2) and acl(2) system calls.

u::perm Base ACL entry for the ﬁle’s owner

g::perm Base ACL entry for the ﬁle’s group

c::perm Base ACL entry for the ﬁle’s group class

o::perm Base ACL entry for others

When an ACL is minimal, i.e., it has no optional ACL entries (see next section), then the

group and

class permissions are exactly equal.

Optional ACL entries

Optional access control list entries contain additional access control information, which the user can set

with the acl(2) system call to further allow or deny ﬁle access. Up to thirteen optional ACL entries can be

speciﬁed.

For example, the following optional access control list entries can be associated with our ﬁle:

u:mary:rwx Grant read, write, and execute access to user mary.

user:george:--- Deny any access to user george.

g:writers:rw- Grant read and write access to members of group writers.

Class Entries

In an ACL that contains more than one

user entry and/or more than one group entry, the class

entry speciﬁes the maximum permissions that can be granted by any of the additional user and group

entries. If a particular permission is not granted in the class entry, then it cannot be granted by any

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010