DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Understanding file protection

Examining an ACL

The getacl command reports the entries in the ACL. As indicated, each ACL has at least four entries, one each corresponding to the file mode permissions for owner, group, class, and other.

File permission bits for user and group are translated into special cases of these entries:

In an ACL, there must be one each of these special user and group entries. There may be any number of additional user entries and group entries, but these must all contain a user ID or group ID, respectively. There is only one other entry in an ACL, representing the permission bits for permissions to be granted to other users. The following is an example of the output of the

getacl command for a file named junk owned by user_1 in group_1 whose permission mode bits are -rw-r--r--:

$ getacl junk
# file: junk
# owner: user_1
# group: group_1
user::rw-
group::r--
class:r--
other:r--

If user_2 and user_3 and group_2 are added to the ACL by using the setacl command, getacl would produce the following output:

$ getacl junk
# file: junk
# owner: user_1
# group: group_1
user::rw-
user:user_2:r--
user:user_3:r--
group::r--
group:group_2:r--
class:r--
other:r--

The mode bits on the ACL class entry are significant. The class entry mode bits are determined by the group mode bits for the file. Therefore, the group entry for the owning group and the class entry in the basic ACL are identical. When only a basic ACL exists for the file, you can think of the group and class bits as being the same. Once additional users and groups are added to the ACL, the owning group bits take on a separate identity from the class bits. If the chmod command is invoked to modify DAC permission bits when additional ACL entries exist, it effectively modifies the owner, class, and other mode bits. Please note that in the case of the DAC group permission bits, it is the class bits that are modified and not the owning group bits in the ACL entry. The only way to change ACL entries (except for the ones representing owner and other) is by using the setacl command.


© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004