Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

chacl(1)

cpacl(1)

lsacl(1)

salacl(1M)

ACL(5)                          Domain/OS SysV                          ACL(5)



NAME
     acl - details about access control lists (ACLs)

DESCRIPTION
     Every object in the system (whether directory or file) has an access
     control list (ACL) that defines who may access that object, and in what
     ways. The ACL is made up of a series of entries that consist of two
     elements: a subject identifier (SID) and a set of rights. Each entry
     gives one subject the right to perform some operations (read, write,
     execute, etc) on the object that the ACL protects.

     There are required ACL entries and extended ACL entries. Each object must
     have an ACL entry for an owner (user), group, organization, and others
     (world). You can also create extended ACL entries that specify
     permissions for other users, groups, and organizations. Required ACL
     entries are listed before extended entries. ACL entries are automatically
     arranged in order, from the most to the least specific subject
     identifier. For example, the ACLs for individuals appear before the ACLs
     for others.

     Standard UNIX permissions use required entries, with no extended ACL
     entries.

SUBJECT IDENTIFIERS
     The subject identifier (SID) identifies those users to whom the specified
     set of rights apply. The subject identifier is in the format:

          user.group.organization

          For example:

          barb.none.r_d

     User, group, and organization specify names that are in the associated
     network registry files. You may use the wildcard % in any of the "ugo"
     fields.

ACCESS RIGHTS
     You may assign the following access rights to the types of objects
     indicated:

     Any object:

     p    Protect rights; allow rights to be changed

     Files:

     r    Read rights

     w    Write rights

     x    Execute rights

     k    Keep rights; prevents an object from being deleted or from having
          its name changed

     Directories:

     w    Write rights; allows names to be added, changed or deleted

     r    Read rights; allows directory to be listed

     x    Execute/search rights; allows directories to be searched for
          subordinate objects.

     k    Keep rights; prevents an object from being deleted or from having
          its name changed

SPECIFYING ACCESS RIGHTS
     You may specify access rights individually or in groups. Each object has
     the required entries of User, Group, Organization, and World.  However,
     it is sometimes useful to have these specified, but not used for rights
     checking. This may be done by specifying the I (ignore) mode with the
     chacl(1) command. The I mode is only valid for required entries.

     Objects that are part of protected subsystems indicate this when their
     ACLs are displayed.

     NOTE: To delete a tree you need write rights to any object being deleted.
     If objects are protected with keep rights, you must have protect rights
     as well.

ACLS AND DIRECTORIES
     In addition to its own ACL, each directory contains two additional ACLs
     (called initial ACLs): one for new files and another for new
     subdirectories created within that directory. When you create a new file
     or directory, or copy one to a new location in the file hierarchy, the
     system assigns an ACL to it by copying the appropriate initial ACL stored
     in the parent directory.  When the newly created object is a directory,
     the two initial ACLs from the parent are replicated in the new
     subdirectory, unless you specifically indicate otherwise (see the
     chacl(1) command). The various options on the chacl(1), cpacl(1), and
     lsacl(1) commands determine which of these access control lists you are
     editing, copying or displaying.

     Initial ACLs may be either completely specified in the directory, or may
     inherit information from the process which is creating the object. Normal
     UNIX behavior is implemented by using inheritance from the process.

     Either the subject identifier information in a required entry or the
     rights information in a required entry may be inherited (or both). The
     options to the chacl command allow the inheritance to be specified.


EXAMPLE
     The ACL entries for a file might look like the following example.

     Required entries:

             SID        Rights      Meaning

             mary.%.%   prwx--      Owner rights
             %.none.%   [Ignored]   No group listed
             %.%.r_d    --r-x-      r_d has read and execute rights
             %.%.%      ------      No others have rights to this file

     Extended ACL entries:

              SID          Rights   Meaning

              jill.%.%     prwx--   Additional user's rights
              %.backup.%   -r----   The backup group has read rights

SEE ALSO
     chacl(1), cpacl(1), lsacl(1), salacl(1M)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026