ACL Permissions

Each ACL entry for a user or group includes a set of permissions that defines the operations it grants to the user or users to whom it applies. For a mask_obj entry, the permissions define the maximum set of permissions that are allowed by the mask. Each entry can be assigned a different set of permissions.

The following permissions can be associated with an entry on an ACL for a file or directory in a DCE LFS fileset. All six permissions apply to a directory, but only the first four apply to a file; the insert and delete permissions are meaningless for files.

· r (read)

· w (write)

· x (execute)

· c (control)

· i (insert)

· d (delete)

The following table lists the various operations that can be performed on a file or directory and the ACL permissions that are required to perform them. As the table indicates, all operations performed on a file or directory object require the x (execute) permission on each directory that leads to the object. Keep this requirement in mind when determining the permissions necessary to perform the operations described in the following chapters; not all operations explicitly list it.

Note: A user must have the x (execute) permission on each directory that leads to an object to access that object by its pathname. However, certain file system operations, such as the creation of hard links and mount points, can circumvent this restriction by supplanting the usual traversal of the pathname. To guarantee that an object is securely protected, set its permissions to the precise protections you want it to have. Do not rely on the absence of the x permission for a parent directory to prevent unwanted access of an object.


File and Directory Operations and Required ACL Permissions

Operation Required Permissions
Change to a directory x on the directory itself
x on all directories that lead to the directory
List the contents of a directory r on the directory itself
x on all directories that lead to the directory
List information about the objects in a directory r and x on the directory itself
x on all directories that lead to the directory
Create an object w, x, and i on the directory in which the object is to be placed
x on all directories that lead to the directory in which the object is to be placed
Delete an object w, x, and d on the directory from which the object is to be deleted
x on all directories that lead to the directory from which the object is to be deleted
Rename an object w, x, and d on the object's current directory
x on all directories that lead to the object's current directory
w, x, and i on the object's new directory
x on all directories that lead to the object's new directory
w on the object if the object is a directory
Read or read lock a file r on the file itself
x on all directories that lead to the file
Write or write lock a file w on the file itself
x on all directories that lead to the file
Execute a binary file x on the file itself
x on all directories that lead to the file
Execute a shell script r and x on the script itself
x on all directories that lead to the script
List the ACLs on an object x on all directories that lead to the object
Change the ACLs on an object c on the object itself
x on all directories that lead to the object
Note: In the preceding table, the operation "List the contents of a directory" refers to displaying a simple list of the objects in a directory (for example, using the UNIX ls command with no flags or using the ls -a command). The operation "List information about the objects in a directory" refers to obtaining more detailed information about the objects in a directory, such as each object's mode bits or the time of its most recent update (for example, using the UNIX ls -l or ls -t command).

Also, if you rename an object to have the name of an existing object, the object that exists with that name is deleted. In this case, you do not need the d permission on the parent directory of the existing object to be deleted.

For example, suppose the user rajesh needs to execute the DFS fms command. The command writes output to a log file named FMSLog, which it places in the directory from which it is issued. To create the file in a directory, rajesh must have the w (write), x (execute), and i (insert) permissions on the directory from which the command is issued, as well as the x (execute) permission on each directory that leads to the directory.

The following example ACL entry grants rajesh the w, x, and i permissions on the directory from which the command is issued. Each - (dash) indicates a permission that is not granted. Because a full permission set is rwxcid, this entry does not grant the r (read), c (control), and d (delete) permissions.

{user rajesh -wx-i-}

The following example ACL entry grants the user the execute permission on a directory that leads to the directory:

{user rajesh - x - - - }