Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 705 — #731
i
i
i
i
i
i
i
i
27
Access Control Lists in Linux
other::---
default:user::rwx
default:group::r-x
default:group:djungle:r-x
default:mask::r-x
default:other::---
As expected, the newly-created subdirectory mysubdir/ has the
permissions from the default ACL of the parent directory. The ac-
cess ACL of mysubdir/ is an exact reflection of the default ACL of
mydir/, as is the default ACL that this directory will hand down to
its subordinate objects.
3. Use touch to create a file in the mydir/ directory:
touch mydir/myfile
ls -l mydir/myfile
-rw-r-----+ ... tux project3 ... mydir/myfile
getfacl mydir/myfile
# file: mydir/myfile
# owner: tux
# group: project3
user::rw-
group::r-x # effective:r--
group:djungle:r-x # effective:r--
mask::r--
other::---
touch passes mode with the value 0666, which means that new files
are created with read and write permissions for all user classes, pro-
vided no other restrictions exist in umask or in the default ACL (see
Section 27.3.4 on page 703).
In effect, this means that all access permissions not contained in the
mode value are removed from the respective ACL entries. Although
no permissions were removed from the ACL entry of the group class,
the mask entry was modified to mask permissions not set via mode.
This approach ensures the smooth interaction of applications, such
as compilers, with ACLs. You can create files with restricted access
permissions and subsequently mark them as executable. The mask
mechanism guarantees that the right users and groups can execute
them as desired.
705
SUSE LINUX Enterprise Server