Two basic ACL formats are provided as follows:
Syntax for Setting Trivial ACLs
chmod [options] A[index]{+|=}owner@ |group@ |everyone@:access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-owner@, group@, everyone@:access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
Syntax for Setting Non-Trivial ACLs
chmod [options] A[index]{+|=}user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
Identifies the ACL-entry-type for trivial ACL syntax. For a description of ACL-entry-types, see Table 8–1.
Identifies the ACL-entry-type for explicit ACL syntax. The user and group ACL-entry-type must also contain the ACL-entry-ID, username or groupname. For a description of ACL-entry-types, see Table 8–1.
Identifies the access permissions that are granted or denied. For a description of ACL access privileges, see Table 8–2.
Identifies an optional list of ACL inheritance flags. For a description of the ACL inheritance flags, see Table 8–3.
Identifies whether the access permissions are granted or denied.
In the following example, the ACL-entry-ID value is not relevant.
group@:write_data/append_data/execute:deny |
The following example includes an ACL-entry-ID because a specific user (ACL-entry-type) is included in the ACL.
0:user:gozer:list_directory/read_data/execute:allow |
When an ACL entry is displayed, it looks similar to the following:
2:group@:write_data/append_data/execute:deny |
The 2 or the index-ID designation in this example identifies the ACL entry in the larger ACL, which might have multiple entries for owner, specific UIDs, group, and everyone. You can specify the index-ID with the chmod command to identify which part of the ACL you want to modify. For example, you can identify index ID 3 as A3 to the chmod command, similar to the following:
chmod A3=user:venkman:read_acl:allow filename |
ACL entry types, which are the ACL representations of owner, group, and other, are described in the following table.
Table 8–1 ACL Entry Types
ACL Entry Type |
Description |
---|---|
owner@ |
Specifies the access granted to the owner of the object. |
group@ |
Specifies the access granted to the owning group of the object. |
everyone@ |
Specifies the access granted to any user or group that does not match any other ACL entry. |
user |
With a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. |
group |
With a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid. |
ACL access privileges are described in the following table.
Table 8–2 ACL Access Privileges
Access Privilege |
Compact Access Privilege |
Description |
---|---|---|
add_file |
w |
Permission to add a new file to a directory. |
add_subdirectory |
p |
On a directory, permission to create a subdirectory. |
append_data |
p |
Placeholder. Not currently implemented. |
delete |
d |
Permission to delete a file. |
delete_child |
D |
Permission to delete a file or directory within a directory. |
execute |
x |
Permission to execute a file or search the contents of a directory. |
list_directory |
r |
Permission to list the contents of a directory. |
read_acl |
c |
Permission to read the ACL (ls). |
read_attributes |
a |
Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2). |
read_data |
r |
Permission to read the contents of the file. |
read_xattr |
R |
Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. |
synchronize |
s |
Placeholder. Not currently implemented. |
write_xattr |
W |
Permission to create extended attributes or write to the extended attributes directory. Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. |
write_data |
w |
Permission to modify or replace the contents of a file. |
write_attributes |
A |
Permission to change the times associated with a file or directory to an arbitrary value. |
write_acl |
C |
Permission to write the ACL or the ability to modify the ACL by using the chmod command. |
write_owner |
o |
Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file. Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required. |
The following ACL combinations can be applied in an ACL set rather than setting individual permissions separately. The following ACL sets are available.
ACL Set Name |
Included ACL Permissions |
---|---|
full_set |
All permissions |
modify_set |
all permissions except write_acl and write_owner |
read_set |
read_data, read_attributes, read_xattr, and read_acl |
write_set |
write_data, append_data, write_attributes, and write_xattr |
These ACL sets are prefined and cannot be modified.