|
|
If you want to specifically grant and/or deny access to specific users and/or groups on the system, you can add more user and group entries to the four minimal entries described in the previous section.
Additional user entries grant and deny access to specific user IDs on your system. For example, the following entry in the ACL of a file grants read, write, and execute access to a user logged in as archer:
user:archer:rwxSimilarly, additional group entries grant and deny access to specific group IDs on your system. For example, an ACL with the following entry would deny access to a user in the group spies:
group:spies:---
In an ACL that contains more than one group entry and/or more than one user entry, the class entry specifies the maximum permissions that can be granted by any of the additional user and group entries. If a particular permission is not granted in the class entry, it cannot be granted by any ACL entries (except for the first user (owner) entry and the other entry). Any permission can be denied to a particular user or group. The class entry functions as an upper bound for file permissions.
When an ACL contains more than one group and/or user entry, the collection of additional user and group entries are referred to as the group class entries, since the effective permission granted by any of these additional entries is limited by the class entry.
If there are additional entries in the ACL, the class ACL entry will no longer necessarily equal the value of the permissions for the owning group reported by ls -l. This feature is useful, because it means that the chmod command can usefully affect the permissions of a file that has additional ACL entries.
For example, by changing the permission bits of a file to
rwx------the class entry in the ACL is set to
class:---This means that any additional group entries in the ACL cannot grant any access to the file. If the permission bits were set to
rwxr-----the class ACL entry would be
class:r--Any group entries would be able to grant read access, but not write or execute access.
The class entry does not limit the access that can be granted by the first user (owner) entry or the other entry.
Often, you will want all the files created in a directory to have certain ACL entries. For example, you might want to allow another person to write to any file in a directory of yours where the two of you are working on something together.
You can put an ACL entry granting the desired access on every file in the directory, but every time you create a new file you will have to add that entry again. Using default ACL entries, you can get the system to do this for you automatically every time a file is created.
A default ACL entry looks like this:
default:user:archer:rw-It can be placed only on a directory, never on an ordinary file. It never has any influence on what access is granted to a user for the directory it is placed on. All it does is cause the specified entry to be included in the ACL of any file created in the directory.
If the newly created file is a directory, the default ACL entries have two affects. First, the corresponding non-default ACL entries are created, so that the desired permissions are granted and denied for the directory, just as for any file created in the directory. Second, the default entries themselves are copied, so that new sub-directory has the same default ACL as the parent directory.
For example, if you want any files created in the directory
poentkarto
to be readable by certain users, you could create the
appropriate default entries as shown in
``An ACL with default entries''.
$ getacl poentkarto
# file: poentkarto
# owner: fletcher
# group: tourney
user::rw-
user:archer:rw-
user:bowman:rw-
user:hunter:---
group::rw-
group:judges:rw-
class:rw-
other:---
default:user:archer:r--
default:user:bowman:r--
default:group:judges:r--
An ACL with default entries
With these entries in place, any new file created in the
directory
poentkarto
would have an ACL like that shown in
``Effect of default entries on a file''.
# file: poentaro1
# owner: fletcher
# group: tourney
user::rw-
user:archer:r--
user:bowman:r--
group::rw-
group:judges:r--
class:rw-
other:---
Effect of default entries on a file
If the newly created file is a directory, the same ACL
entries are generated, but in addition the default
entries themselves are also placed in the ACL, as shown in
``Effect of default entries on a directory''.
# file: subpoento
# owner: fletcher
# group: tourney
user::rw-
user:archer:r--
user:bowman:r--
group::rw-
group:judges:r--
class:rw-
other:---
default:user:archer:r--
default:user:bowman:r--
default:group:judges:r--
Effect of default entries on a directory