ACL Inheritance for Objects Created by Foreign Users

When a foreign user creates an object, ACL inheritance occurs as described in ACL Inheritance for Objects Created by Local Users. However, if the user is a foreign user with respect to the appropriate Initial Creation ACL, entries inherited from the Initial Creation ACL are modified as follows:

· The mask_obj entry remains unchanged. It applies to the same entries on both the Initial Creation ACL and the new Object ACL.

· The user_obj, group_obj, and other_obj entries remain unchanged, but they are defined with respect to the default cell of the new Object ACL, not the default cell of the Initial Creation ACL. The user_obj entry specifies the permissions granted to the user who creates the object (the user whose local cell dictates the default cell of the ACL).

· Any user and group entries are changed to foreign_user and foreign_group entries because they are not defined with respect to the default cell of the new Object ACL.

· Any foreign_user and foreign_group entries that are defined with respect to the default cell of the new object ACL are changed to user and group entries.

· Any foreign_user and foreign_group entries that are defined with respect to neither the default cell of the Initial Creation ACL nor the default cell of the new Object ACL remain unchanged.

· Any foreign_other entries and the any_other entry remain unchanged.

If a foreign user creates an object in a directory, an Object ACL is created for the new object even if the parent directory does not have the appropriate Initial Creation ACL. In this case, the Object ACL must be created to record the fact that the new object's default cell is different from the cell in which the object resides. Because an unauthenticated user is treated as a user from an unknown foreign cell, an Object ACL is always created for an object created by an unauthenticated user also. (See Mode Bits for New Objects That Do Not Inherit ACLs for information about how the permissions granted by such an Object ACL are determined.)

The following example demonstrates what happens when the local cell of a user who creates an object is different from the default cell of the appropriate Initial Creation ACL of the directory in which the object is created. In the example, the directory /.../abc.com/fs/usr/srivas is the home directory of the user srivas, whose local cell, abc.com, is the same as the default cell of the directory's ACLs. The following dcecp acl show command displays the Object ACL of the directory:

dcecp> acl show /.:/fs/usr/srivas

{mask_obj rwx-id}

{user_obj rwxcid}

{user vijay rwx-id}

{foreign_user /.../def.com/andi rwx-id}

{foreign_user /.../ghi.com/pervaze r-x - }

{group_obj r-x - }

{other_obj r-x - }

{foreign_other /.../def.com r-x - }

The following dcecp acl show commands display the Initial Object Creation ACL and Initial Container Creation ACL of the directory:

dcecp> acl show /.:/fs/usr/srivas -io

{mask_obj rw - - }

{user_obj rw-c - }

{user pierette rw - - }

{foreign_user /.../def.com/andi rw - - }

{foreign_user /.../ghi.com/pervaze r - - }

{group_obj r - - }

{other_obj r - - }

{foreign_other /.../def.com r - - }

dcecp> acl show /.:/fs/usr/srivas -ic

{mask_obj rwx-id}

{user_obj rwxcid}

{user pierette rwx-id}

{foreign_user /.../def.com/andi rwx-id}

{foreign_user /.../ghi.com/pervaze r-x - }

{group_obj r-x - }

{other_obj r-x - }

{foreign_other /.../def.com r-x - }

All three of these ACLs are defined with respect to the cell abc.com. For example, the user entries for pierette and vijay apply to specific users from the cell abc.com, and the other_obj entries apply to other users from the cell abc.com.

The user andi, who is from the cell def.com, has entries on all three of the directory's ACLs. The foreign_user entry on the Object ACL allows andi to create objects in the directory. If andi creates a subdirectory named andi_files in the directory, the default cell of the subdirectory is def.com. Assuming the user, group, and other mode bits are r, w, and x in the system call that creates the subdirectory, the Object ACL of the subdirectory inherits the following entries from the Initial Container Creation ACL of the parent directory:

dcecp> acl show /.:/fs/usr/srivas/andi_files

{mask_obj rwx-id}

{user_obj rwxcid}

{user andi rwx-id}

{foreign_user /.../abc.com/pierette rwx-id}

{foreign_user /.../ghi.com/pervaze r-x - }

{group_obj r-x - }

{other_obj r-x - }

{foreign_other /.../def.com r-x - }

The permissions granted by the various entries are inherited according to the ACL inheritance algorithm. However, because andi's local cell (def.com) is different from the default cell (abc.com) of the parent directory's Initial Container Creation ACL, the entries from the parent's Initial Container Creation ACL are interpreted and modified as follows for use on the Object ACL of the andi_files subdirectory:

· The mask_obj entry is unchanged because it applies to the same users on both ACLs.

· The user_obj, group_obj, and other_obj entries are unchanged, but they now apply to users and groups from the cell def.com. The user_obj entry grants permissions to the user andi.

· The user pierette entry is changed to the foreign_user /.../abc.com/pierette entry because it is no longer defined with respect to the default cell of the ACL.

· The foreign_user /.../def.com/andi entry is changed to the user andi entry because it is now defined with respect to the default cell of the ACL. Note that as the owner of the directory, andi derives permissions from the user_obj entry, so the user entry for andi is not used. It remains on the ACL nonetheless.

· The foreign_user /.../ghi.com/pervaze entry is unchanged because it is defined with respect to neither the default cell of the Initial Container Creation ACL of the parent directory nor the Object ACL of the new directory.

· The foreign_other /.../def.com entry is unchanged; it continues to apply to users from the cell def.com. However, because the default cell of the ACL is now def.com, users from that cell who are not granted permissions from specific user or group entries are now granted permissions from the other_obj entry. The foreign_other entry for users from the cell /.../def.com remains on the ACL, but as long as the default cell of the ACL is def.com, this foreign_other entry does not determine the permissions granted to users from the def.com cell.

Note: You can explicitly include foreign_other entries for the default cell on a directory's Initial Creation ACLs to grant users from the default cell permissions on objects created in the directory by foreign users. For example, if the Initial Container Creation ACL of the directory /.../abc.com/fs/usr/srivas in the previous example had included the entry foreign_other /.../abc.com, the Object ACL of the andi_files subdirectory would have inherited the entry unchanged from the Initial Container Creation ACL. The entry would have granted users from the cell abc.com permissions on the subdirectory andi_files.

Because andi's local cell is different from the default cell of the Initial Object Creation ACL and Initial Container Creation ACL of the parent directory of the andi_files subdirectory, entries on the corresponding ACLs that the subdirectory inherits are also changed as necessary. The new subdirectory inherits the following Initial Object Creation ACL and Initial Container Creation ACL from its parent:

dcecp> acl show /.:/fs/usr/srivas/andi_files -io

{mask_obj rw - - }

{user_obj rw-c - }

{user andi rw - - }

{foreign_user /.../abc.com/pierette rw - - }

{foreign_user /.../ghi.com/pervaze r - - }

{group_obj r - - }

{other_obj r - - }

{foreign_other /.../def.com r - - }

dcecp> acl show /.:/fs/usr/srivas/andi_files -ic

{mask_obj rwx-id}

{user_obj rwxcid}

{user andi rwx-id}

{foreign_user /.../abc.com/pierette rwx-id}

{foreign_user /.../ghi.com/pervaze r-x - }

{group_obj r-x - }

{other_obj r-x - }

{foreign_other /.../def.com r-x - }