HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

acl(5) acl(5)

Access Control List Entries

An access control list (ACL) consists of sets of

(user.group,mode) entries associated with a ﬁle that

specify permissions. Each entry speciﬁes for one user-ID/group-ID combination a set of access permissions,

including read, write, and execute/search.

To help understand the relationship between access control lists and traditional ﬁle permissions, consider

the following ﬁle and its permissions:

-rwxr-xr-- james admin datafile

The ﬁle owner is user james

The ﬁle’s group is

admin.

The name of the ﬁle is

datafile

The ﬁle owner permissions are

rwx.

The ﬁle group permissions are

r-x.

The ﬁle other permissions are

r--.

In an ACL, user and group IDs can be represented by names or numbers, found in

/etc/passwd . The

following special symbols can also be used:

% Symbol representing no speciﬁc user or group.

@ Symbol representing the current ﬁle owner or group.

Base ACL Entries

When a ﬁle is created, three base access control list entries are mapped from the ﬁle’s access permission

bits to match a ﬁle’s owner and group and its traditional permission bits. Base ACL entries can be changed

by the chmod(2) and setacl(2) system calls.

(uid.%,mode)

Base ACL entry for the ﬁle’s owner

(%.gid,mode)

Base ACL entry for the ﬁle’s group

(%.%,mode) Base entry for other users

(Except where noted, examples are represented in short form notation. See ACL Notation, below.)

Optional ACL entries

Optional access control list entries contain additional access control information, which the user can set

with the setacl(2) system call to further allow or deny ﬁle access. Up to thirteen additional user/group com-

binations can be speciﬁed.

For example, the following optional access control list entries can be associated with our ﬁle:

(mary.admin,rwx)

Grant read, write, and execute access to user mary in group admin.

(george.%,---) Deny any access to user george in no speciﬁc group.

ACL Notation

Supported library calls and commands that manage ACLs recognize three different symbolic representa-

tions:

operator form For input of entire ACLs and modiﬁcations to existing ACLs, in a syntax similar to that

used by chmod(1).

short form Easier to read, intended primarily for output. chacl(1) accepts this form as input so that it

can interpret output from lsacl(1).

long form A multiline format useful for greater clarity, and supported only for output.

For our example ﬁle, the base ACL entries could be represented in the three notations as follows:

operator form

james.% = rwx, %.admin = rx, %.% = r

short form (james.%,rwx) (%.admin,r-x) (%.%,r--)

long form rwx james.%

r-x %.admin

r-- %.%

In addition to basic ACL usage, some library calls and commands understand and use a variation of opera-

tor and short forms. See the section below on ACL Patterns.

HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 25