acl | Début | Suivant | Sommaire | Préc.page.lue | Accueil |
NAME | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
DESCRIPTION | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
ACL TYPES | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
ACL ENTRIES | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
An ACL entry contains an entry tag type, an optional entry tag qualifier, and a set of permissions. We use the term qualifier to denote the entry tag qualifier of an ACL entry.
The qualifier denotes the identifier of a user or a group, for entries with tag types of ACL_USER or ACL_GROUP, respectively. Entries with tag types other than ACL_USER or ACL_GROUP have no defined qualifiers.
The following entry tag types are defined:
When an access check is performed, the ACL_USER_OBJ and ACL_USER entries are tested against the effective user ID. The effective group ID, as well as all supplementary group IDs are tested against the ACL_GROUP_OBJ and ACL_GROUP entries.
All user ID qualifiers must be unique among all entries of ACL_USER tag type, and all group IDs must be unique among all entries of ACL_GROUP tag type.
The
Fn acl_get_file
function returns an ACL with zero ACL entries as the default ACL of a
directory, if the directory is not associated with a default ACL. The
Fn acl_set_file
function also accepts an ACL with zero ACL entries as a valid default ACL for
directories, denoting that the directory shall not be associated with a
default ACL. This is equivalent to using the
Fn acl_delete_def_file
function.
CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the permissions of the ACL_OTHER_OBJ entry.
The file owner, group, and other permissions always match the permissions of the corresponding ACL entry. Modification of the file permission bits results in the modification of the associated ACL entries, and modification of these ACL entries results in the modification of the file permission bits.
If no default ACL is associated with a directory, the mode parameter to the functions creating file objects and the file creation mask (see umask(2)) are used to determine the ACL of the new object:
ACCESS CHECK ALGORITHM | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
if the ACL_USER_OBJ entry contains the requested permissions, access is granted,
else access is denied.
if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
else access is denied.
if the ACL contains an ACL_MASK entry, then if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain the requested permissions, access is granted,
else access is denied.
else (note that there can be no ACL_GROUP entries without an ACL_MASK entry) if the ACL_GROUP_OBJ entry contains the requested permissions, access is granted,
else access is denied.
ACL TEXT FORMS | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
The second field contains the user or group identifier of the user or group associated with the ACL entry for entries of entry tag type ACL_USER or ACL_GROUP, and is empty for all other entries. A user identifier can be a user name or a user ID number in decimal form. A group identifier can be a group name or a group ID number in decimal form.
The third field contains the discretionary access permissions. The read, write and search/execute permissions are represented by the r w and x characters, in this order. Each of these characters is replaced by the - character to denote that a permission is absent in the ACL entry. When converting from the text form to the internal representation, permissions that are absent need not be specified.
White space is permitted at the beginning and end of each ACL entry, and immediately before and after a field separator (the colon character).
LONG TEXT FORM | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
user::rw- user:lisa:rw- #effective:r-- group::r-- group:toolies:rw- #effective:r-- mask::r-- other::r--
SHORT TEXT FORM | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
u::rw-,u:lisa:rw-,g::r--,g:toolies:rw-,m::r--,o::r-- g:toolies:rw,u:lisa:rw,u::wr,g::r,o::r,m::r
RATIONALE | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
CHANGES TO THE FILE UTILITIES | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
The effect of the chmod(1) utility, and of the chmod(2) system call, on the access ACL is described in Sx CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS .
STANDARDS | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
Linux Access Control Lists implement the full set of functions and utilities defined for Access Control Lists in POSIX.1e, and several extensions. The implementation is fully compliant with POSIX.1e draft 17; extensions are marked as such. The Access Control List manipulation functions are defined in the ACL library (libacl, -lacl). The POSIX compliant interfaces are declared in the <sys/acl.h> header. Linux-specific extensions to these functions are declared in the <acl/libacl.h> header.
SEE ALSO | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
POSIX 1003.1e DRAFT 17 | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
POSIX 1003.1e FUNCTIONS BY CATEGORY | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
acl_add_perm3, acl_calc_mask3, acl_clear_perms3, acl_delete_perm3, acl_get_permset3, acl_set_permset3
acl_get_qualifier3, acl_get_tag_type3, acl_set_qualifier3, acl_set_tag_type3
POSIX 1003.1e FUNCTIONS BY AVAILABILITY | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
acl_delete_def_file3, acl_dup3, acl_free3, acl_from_text3, acl_get_fd3, acl_get_file3, acl_init3, acl_set_fd3, acl_set_file3, acl_to_text3, acl_valid3
acl_add_perm3, acl_calc_mask3, acl_clear_perms3, acl_copy_entry3, acl_copy_ext3, acl_copy_int3, acl_create_entry3, acl_delete_entry3, acl_delete_perm3, acl_get_entry3, acl_get_permset3, acl_get_qualifier3, acl_get_tag_type3, acl_set_permset3, acl_set_qualifier3, acl_set_tag_type3, acl_size3
LINUX EXTENSIONS | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
acl_check3, acl_cmp3, acl_entries3, acl_equiv_mode3, acl_error3, acl_extended_fd3, acl_extended_file3, acl_from_mode3, acl_get_perm3, acl_to_any_text3
AUTHOR | Début | Précédent | Suivant | Sommaire | Préc.page.lue | Accueil |
Sommaire | Début | Suivant | Sommaire | Préc.page.lue | Accueil |
Table des mots clés | Début | Suivant | Sommaire | Préc.page.lue | Accueil |
ACL entry manipulation | POSIX 1003.1e FUNCTIONS BY CATEGORY |
ACL format translation | POSIX 1003.1e FUNCTIONS BY CATEGORY |
ACL manipulation on an object | POSIX 1003.1e FUNCTIONS BY CATEGORY |
ACL storage management | POSIX 1003.1e FUNCTIONS BY CATEGORY |
ACL_GROUP | ACL ENTRIES |
ACL_GROUP_OBJ | ACL ENTRIES |
ACL_MASK | ACL ENTRIES |
ACL_OTHER | ACL ENTRIES |
ACL_USER | ACL ENTRIES |
ACL_USER_OBJ | ACL ENTRIES |
group | ACL TEXT FORMS |
mask | ACL TEXT FORMS |
other | ACL TEXT FORMS |
user | ACL TEXT FORMS |