HP-UX Reference (11i v1 00/12) - 5 Miscellaneous Topics, 7 Device (Special) Files, 9 General Information, Index (vol 9)
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man5/!!!intro.5
________________________________________________________________
___ ___
a
aclv(5) aclv(5)
Access Control List Entries
An access control list (ACL) consists of a set of one-line entries associated with a file that specify permis-
sions. Each entry specifies for one user-ID or group-ID a set of access permissions, including read, write,
and execute/search.
To help understand the relationship between access control lists and traditional file permissions, consider
the following file and its permissions:
-rwxr-xr-- james admin datafile
The file owner is user james.
The file’s group is admin.
The name of the file is datafile.
The file owner permissions are rwx.
The file group permissions are r-x.
The file other permissions are r--.
In an ACL, user and group IDs can be represented by names or numbers, found in /etc/passwd .
ACL Notation
Supported commands that manage JFS ACLs recognize the following symbolic representation:
[d[efault]:]u[ser]:[uid]:perm
[
d[efault]:]g[roup]:[gid]:perm
[
d[efault]:]c[lass]:perm
[d[efault]:]o[ther]:perm
An ACL entry prefixed with d: or default:, can only occur in a directory’s ACL, and it indicates that
the remainder of the entry is not to be used in determining the access rights to the directory, but is instead
to be applied to any files or subdirectories created in the directory (see ACL Inheritance, below).
The uid and gid fields contain either numeric user or group IDs, or their corresponding character strings
from /etc/passwd or /etc/group. The perm field indicates access permission either in symbolic
form, as a combination of r, w, x and -, or in numeric form, as an octal value of 0 through 7 representing
the sum of 4 for read permission, 2 for write permission and 1 for execute permission.
Base ACL Entries
When a file is created, four base access control list entries are mapped from the file’s access permission bits
to match a file’s owner and group and its traditional permission bits. This is known as a ’’minimal ACL’’.
Base ACL entries can be changed by the chmod(2) and acl(2) system calls.
u::perm Base ACL entry for the file’s owner
g::perm Base ACL entry for the file’s group
c::perm Base ACL entry for the file’s group class
o::perm Base ACL entry for others
When an ACL is minimal, i.e., it has no optional ACL entries (see next section), then the group and
class permissions are exactly equal.
Optional ACL entries
Optional access control list entries contain additional access control information, which the user can set
with the acl(2) system call to further allow or deny file access. Up to thirteen optional ACL entries can be
specified.
For example, the following optional access control list entries can be associated with our file:
u:mary:rwx Grant read, write, and execute access to user mary.
user:george:--- Deny any access to user george.
g:writers:rw- Grant read and write access to members of group writers.
Class Entries
In an ACL that contains more than one user entry and/or more than one
group entry, the class entry
specifies the maximum permissions that can be granted by any of the additional
user
and group entries.
If a particular permission is not granted in the
class entry, then it cannot be granted by any ACL entries
Section 5−−12 − 2 − HP-UX Release 11i: December 2000
___
___