Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
731732733734735736737738739740
“main” (Installation and Administration) 2004/6/25 13:29 page 706 #732
i
i
i
i
i
i
i
i
27.3.5 The ACL Check Algorithm
A check algorithm is applied before any process or application is granted
access to an ACL-protected file system object. As a basic rule, the ACL en-
tries are examined in the following sequence: owner, named user, owning
group or named group, and other. The access is handled in accordance with
the entry that best suits the process. Permissions do not accumulate.
Things are more complicated if a process belongs to more than one group
and would potentially suit several group entries. An entry is randomly se-
lected from the suitable entries with the required permissions. It is irrel-
evant which of the entries triggers the final result “access granted”. Like-
wise, if none of the suitable group entries contains the correct permissions, a
randomly selected entry triggers the final result “access denied”.
27.4 Support by Applications
As described in the preceding sections, ACLs can be used to implement
very complex permission scenarios that meet the requirements of modern
applications. The traditional permission concept and ACLs can be com-
bined in a smart manner. However, some important applications still lack
ACL support. Except for the star archiver, there are currently no backup
applications that guarantee the full preservation of ACLs.
The basic file commands (cp, mv, ls, and so on) do support ACLs, but
many editors and file managers (such as Konqueror) do not. When copy-
ing files with Konqueror, for instance, the ACLs of these files are lost.
When modifying files with an editor, the ACLs of files are sometimes pre-
served, sometimes not, depending on the backup mode of the editor used.
If the editor writes the changes to the original file, the access ACL will be
preserved. If the editor saves the updated contents to a new file that is sub-
sequently renamed to the old file name, the ACLs may be lost, unless the
editor supports ACLs.
Note
Additional Information
Detailed information about ACLs is available at http:
//sdb.suse.de/en/sdb/html/81_acl.html and
http://acl.bestbits.at/. Also see the man pages for
getfacl, acl(5), and setfacl(1).
Note
706 27.4. Support by Applications