ACL Inheritance for Objects Created by Local Users

· The UNIX mode bits specified at the system call level (with the UNIX open( ), creat( ), or mkdir( ) system call) when the object is created. The application that invokes one of these system calls specifies the mode bits for the new object. For example, when the UNIX touch command is used to create an object, the command usually specifies the user, group, and other mode bits as r and w in the resulting creat( ) system call.

· The appropriate Initial Creation ACL of the object's parent directory. The parent's Initial Object Creation ACL is used for a file; the parent's Initial Container Creation ACL is used for a directory.

For example, when a file is created, DCE LFS derives the initial ACL entries and permissions for its Object ACL, the only ACL associated with a file, as follows:

· The r, w, and x permissions for the file's user_obj entry consist of the intersection of the user mode bits specified when the file is created and the corresponding permissions of the user_obj entry of its parent directory's Initial Object Creation ACL. The c, i, and d permissions for the file's user_obj entry are copied directly from the user_obj entry of the parent's Initial Object Creation ACL.

· The r, w, and x permissions for the file's mask_obj entry consist of the intersection of the group mode bits specified when the file is created and the corresponding permissions of the mask_obj entry of its parent directory's Initial Object Creation ACL. The c, i, and d permissions for the file's mask_obj entry are copied directly from the mask_obj entry of the parent's Initial Object Creation ACL. In addition, the group_obj entry is copied directly from the parent's Initial Object Creation ACL to the file's Object ACL.

If the mask_obj entry does not exist on the parent's Initial Object Creation ACL, the r, w, and x permissions for the file's group_obj entry are defined as the intersection of the group mode bits specified when the file is created and the corresponding permissions of the group_obj entry of its parent directory's Initial Object Creation ACL. The c, i, and d permissions for the file's group_obj entry are copied directly from the group_obj entry of the parent's Initial Object Creation ACL.

· The r, w, and x permissions for the file's other_obj entry consist of the intersection of the other mode bits specified when the file is created and the corresponding permissions of the other_obj entry of its parent directory's Initial Object Creation ACL. The c, i, and d permissions for the file's other_obj entry are copied directly from the other_obj entry of the parent's Initial Object Creation ACL.

· All other entries included on the parent directory's Initial Object Creation ACL are copied directly to the file's Object ACL.

DCE LFS uses the same algorithm to determine the initial entries and permissions for a subdirectory's Object ACL, but it uses the parent directory's Initial Container Creation ACL instead of its Initial Object Creation ACL. The subdirectory also inherits its parent's Initial Container Creation ACL as its Initial Container Creation ACL, and it inherits its parent's Initial Object Creation ACL as its Initial Object Creation ACL. The subdirectory inherits these Initial Creation ACLs unchanged from its parent directory.

The following figure illustrates ACL inheritance for files and directories.

ACL Inheritance

The following simple example demonstrates ACL inheritance. In the example, the directory /.../abc.com/fs/usr/rajesh is the home directory for the user rajesh, whose local cell, abc.com, is the same as the default cell of the directory's ACLs. The following dcecp acl show command displays the Object ACL of the directory:

dcecp> acl show /.:/fs/usr/rajesh

{mask_obj rwx-id}

{user_obj rwxcid}

{user vijay rwx-id}

{group_obj r-x - }

{other_obj r-x - }

The following dcecp acl show commands show the Initial Object Creation ACL and Initial Container Creation ACL of the directory:

dcecp> acl show /.:/fs/usr/rajesh -io

{mask_obj rw - - }

{user_obj rw-c - }

{user pierette rw - - }

{group_obj r - - }

{other_obj r - - }

dcecp> acl show /.:/fs/usr/rajesh -ic

{mask_obj rwx-id}

{user_obj rwxcid}

{user pierette rwx-id}

{group_obj r-x - }

{other_obj r-x - }

Suppose rajesh, the owner of the directory, creates a subdirectory named myfiles in the directory. As the owner of the parent directory, rajesh is granted the permissions associated with the user_obj entry of the parent's Object ACL. The user_obj entry includes the w, x, and i permissions, so rajesh can create objects in the directory.

The user_obj, mask_obj, and other_obj permissions of the Object ACL for the new myfiles subdirectory are derived from the intersection of the permissions granted to these entries in the parent directory's Initial Container Creation ACL and the user, group, and other mode bits specified when the subdirectory is created. If the user, group, and other mode bits are all r, w, and x in the system call that creates the myfiles subdirectory, the subdirectory inherits the following Object ACL:

dcecp> acl show /.:/fs/usr/rajesh/myfiles

{mask_obj rwx-id}

{user_obj rwxcid}

{user pierette rwx-id}

{group_obj r-x - }

{other_obj r-x - }

Because the Initial Container Creation ACL includes a mask_obj entry, the myfiles subdirectory inherits the group_obj entry directly from the Initial Container Creation ACL. Similarly, the subdirectory inherits the user entry for pierette directly from the Initial Container Creation ACL. The subdirectory also inherits the Initial Container Creation ACL and Initial Object Creation ACL unchanged from its parent directory.

Note: An object's existing ACLs may not be maintained across a file system operation such as a move or copy (performed with the mv and cp commands in the UNIX operating system). Refer to your vendor's documentation for information about how ACLs are treated with respect to such operations.