Syntax for Setting Trivial ACLs
An ACL is trivial in that it only represents the traditional UNIX owner/group/other entries.
chmod [options] A[index]{+|=}owner@ |group@ |everyone@:access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-owner@, group@, everyone@:access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
Syntax for Setting Non-Trivial ACLs
chmod [options] A[index]{+|=}user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
Identifies the ACL-entry-type for trivial ACL syntax. For a description of ACL entry types, see Table 8–1.
Identifies the ACL-entry-type for explicit ACL syntax. The user and group ACL-entry-type must also contain the ACL-entry-ID, username or groupname. For a description of ACL entry types, see Table 8–1.
Identifies the access permissions that are granted or denied. For a description of ACL access privileges, see Table 8–2.
Identifies an optional list of ACL inheritance flags. For a description of the ACL inheritance flags, see Table 8–3.
Identifies whether the access permissions are granted or denied.
In the following example, the ACL-entry-ID value is not relevant:
group@:write_data/append_data/execute:deny |
The following example includes an ACL-entry-ID because a specific user (ACL-entry-type) is included in the ACL.
0:user:gozer:list_directory/read_data/execute:allow |
When an ACL entry is displayed, it looks similar to the following:
2:group@:write_data/append_data/execute:deny |
In this example, the 2, known as the index-ID designation, identifies the ACL entry in the larger ACL, which might have multiple entries for owner, specific UIDs, group, and everyone. You can specify the index-ID with the chmod command to identify which part of the ACL you want to modify. For example, you can identify index ID 3 as A3 in the chmod command syntax, similar to the following:
chmod A3=user:venkman:read_acl:allow filename |
ACL entry types, which are the ACL representations of owner, group, and other, are described in the following table.
Table 8–1 ACL Entry Types
ACL Entry Type |
Description |
---|---|
owner@ |
Specifies the access granted to the owner of the object. |
group@ |
Specifies the access granted to the owning group of the object. |
everyone@ |
Specifies the access granted to any user or group that does not match any other ACL entry. |
user |
With a user name, specifies the access granted to an additional user of the object. This entry must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. |
group |
With a group name, specifies the access granted to an additional group of the object. This entry must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid. |
ACL access privileges are described in the following table.
Table 8–2 ACL Access Privileges
Access Privilege |
Compact Access Privilege |
Description |
---|---|---|
add_file |
w |
Permission to add a new file to a directory. |
add_subdirectory |
p |
On a directory, permission to create a subdirectory. |
append_data |
p |
Placeholder. Not currently implemented. |
delete |
d |
Permission to delete a file. |
delete_child |
D |
Permission to delete a file or a directory within a directory. |
execute |
x |
Permission to execute a file or search the contents of a directory. |
list_directory |
r |
Permission to list the contents of a directory. |
read_acl |
c |
Permission to read the ACL (ls). |
read_attributes |
a |
Permission to read the basic attributes (non-ACLs) of a file. Think of basic attributes as the stat-level attributes. Allowing this access mask bit means that the entity can execute ls(1) and stat(2). |
read_data |
r |
Permission to read the contents of a file. |
read_xattr |
R |
Permission to read the extended attributes of a file or to perform a lookup in the file's extended attributes directory. |
synchronize |
s |
Placeholder. Not currently implemented. |
write_xattr |
W |
Permission to create extended attributes or write to the extended attributes directory. Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. |
write_data |
w |
Permission to modify or replace the contents of a file. |
write_attributes |
A |
Permission to change the time stamps associated with a file or directory to an arbitrary value. |
write_acl |
C |
Permission to write the ACL or to modify the ACL by using the chmod command. |
write_owner |
o |
Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp command on the file. Permission to take ownership of a file or permission to change the group ownership of a file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required. |