Manualshelf

HP-UX Reference (11i v1 00/12) - 5 Miscellaneous Topics, 7 Device (Special) Files, 9 General Information, Index (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
11121314151617181920
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man5/!!!intro.5
________________________________________________________________
___ ___
a
acl(5) acl(5)
including read, write, and execute/search.
To help understand the relationship between access control lists and traditional file permissions, consider
the following file and its permissions:
-rwxr-xr-- james admin datafile
The file owner is user james.
The file’s group is admin.
The name of the file is datafile.
The file owner permissions are rwx.
The file group permissions are r-x.
The file other permissions are r--.
In an ACL, user and group IDs can be represented by names or numbers, found in /etc/passwd. The fol-
lowing special symbols can also be used:
% Symbol representing no specific user or group.
@ Symbol representing the current file owner or group.
Base ACL Entries
When a file is created, three base access control list entries are mapped from the file’s access permission
bits to match a file’s owner and group and its traditional permission bits. Base ACL entries can be changed
by the chmod(2) and setacl(2) system calls.
(uid.%,mode) Base ACL entry for the files owner
(%.gid,mode) Base ACL entry for the files group
(%.%,mode) Base entry for other users
(Except where noted, examples are represented in short form notation. See ACL Notation, below.)
Optional ACL entries
Optional access control list entries contain additional access control information, which the user can set
with the setacl(2) system call to further allow or deny file access. Up to thirteen additional user/group com-
binations can be specified.
For example, the following optional access control list entries can be associated with our file:
(mary.admin, rwx) Grant read, write, and execute access to user mary in group admin.
(george.%, ---) Deny any access to user george in no specific group.
ACL Notation
Supported library calls and commands that manage
ACLs recognize three different symbolic representa-
tions:
operator form For input of entire ACLs and modifications to existing ACLs, in a syntax similar to that used
by chmod(1).
short form Easier to read, intended primarily for output. chacl(1) accepts this form as input so that it
can interpret output from lsacl(1).
long form A multi-line format useful for greater clarity, and supported only for output.
For our example file, the base ACL entries could be represented in the three notations as follows:
operator form james.% = rwx, %.admin = rx, %.% = r
short form (james.%,rwx) (%.admin,r-x) (%.%,r--)
long form rwx james.%
r-x %.admin
r-- %.%
In addition to basicACL usage, some library calls and commands understand and use a variation of operator
and short forms. See the section below on ACL Patterns.
ACL Uniqueness
Entries are unique in each ACL. There can only be one (u.g, mode) entry for any pair of u and g values; one
(u.%, mode) entry for a given value of u; one (%.g, mode) entry for a given value of g; and one (%.%, mode)
entry for each file. For example, an
ACL can have a (23.14, mode) entry and a (23.%, mode) entry, but not
HP-UX Release 11i: December 2000 2 Section 53
___
___