Syntax Descriptions for Setting
ACLs
Two basic ACL formats are provided as follows:
-
Trivial ACL – Contains only traditional UNIX
user, group, and owner entries.
Use the following command syntax to set trivial ACLs.
chmod [options] A[index]{+|=}owner@ |group@ |everyone@: \
access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-owner@, group@, everyone@: \
access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
-
Non-Trivial ACL – Contains more entries than just
owner, group, and everyone, or includes inheritance flags set, or the entries are ordered in a
non-traditional way.
Use the following command syntax to set non-trivial ACLs.
chmod [options] A[index]{+|=}user|group:name: \
access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-user|group:name: \
access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
The following list explains the options that are used in the commands to set up
trivial and non-trivial ACLs.
- owner@, group@, everyone@
-
Identifies the ACL-entry-type for trivial ACL syntax. For a description
of ACL-entry-types, see Table 7–1.
- user or group:ACL-entry-ID=username or groupname
-
Identifies the ACL-entry-type for explicit ACL syntax. The user and group
ACL-entry-type must also contain the ACL-entry-ID,
username or groupname. For a description of
ACL-entry-types, see Table 7–1.
- access-permissions/.../
-
Identifies the access permissions that are granted or denied. For a description of ACL access
privileges, see Table 7–2.
- inheritance-flags
-
Identifies an optional list of ACL inheritance flags. For a description of the ACL inheritance
flags, see Table 7–4.
- deny | allow
-
Identifies whether the access permissions are granted or denied.
In the following example, no ACL-entry-ID value exists for
owner@, group@, or
everyone@.
group@:write_data/append_data/execute:deny
The
following example includes an ACL-entry-ID because a specific user
(ACL-entry-type) is included in the
ACL.
0:user:joe:list_directory/read_data/execute:allow
An ACL entry is
displayed similar to the
following:
2:group@:write_data/append_data/execute:deny
The
2 or the index-ID designation in this example identifies the
ACL entry in the larger ACL, which might have multiple entries for owner, specific UIDs, group, and
everyone. You can specify the index-ID with the chmod
command to identify which part of the ACL you want to modify. For example, you can identify index ID
3 as A3 to the chmod command, similar to the
following:
chmod A3=user:venkman:read_acl:allow filename
The
following table describes ACL entry types, which are the ACL representations of owner, group, and
other.
Table 7-1 ACL Entry Types
|
|
owner@
|
Specifies the access granted to the owner of the object.
|
group@
|
Specifies the access granted to the owning group of the object.
|
everyone@
|
Specifies the access granted to any user or group that does not match any other ACL
entry.
|
user
|
With a user name, specifies the access granted to an additional user of the object. Must
include the ACL-entry-ID, which contains a username
or userID. If the value is not a valid numeric UID or
username, the ACL entry type is invalid.
|
group
|
With a group name, specifies the access granted to an additional group of the object. Must
include the ACL-entry-ID, which contains a groupname
or groupID. If the value is not a valid numeric GID or
groupname, the ACL entry type is invalid.
|
|
ACL access privileges are described in the following table.
Table 7-2 ACL Access Privileges
|
|
|
add_file
|
w
|
Permission to add a new file to a directory.
|
add_subdirectory
|
p
|
On a directory, permission to create a subdirectory.
|
append_data
|
p
|
Not currently implemented.
|
delete
|
d
|
Permission to delete a file. For more information about specific delete
permission behavior, see Table 7–3.
|
delete_child
|
D
|
Permission to delete a file or directory within a directory. For more information about
specific delete_child permission behavior, see Table 7–3.
|
execute
|
x
|
Permission to execute a file or search the contents of a directory.
|
list_directory
|
r
|
Permission to list the contents of a directory.
|
read_acl
|
c
|
Permission to read the ACL (ls).
|
read_attributes
|
a
|
Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the
stat level attributes. Allowing this access mask bit means the entity can execute
ls(1) and stat(2).
|
read_data
|
r
|
Permission to read the contents of the file.
|
read_xattr
|
R
|
Permission to read the extended attributes of a file or perform a lookup in the file's
extended attributes directory.
|
synchronize
|
s
|
Not currently implemented.
|
write_xattr
|
W
|
Permission to create extended attributes or write to the extended attributes directory.
Granting this permission to a user means that the user can create an extended attribute
directory for a file. The attribute file's permissions control the user's access to the
attribute.
|
write_data
|
w
|
Permission to modify or replace the contents of a file.
|
write_attributes
|
A
|
Permission to change the times associated with a file or directory to an arbitrary
value.
|
write_acl
|
C
|
Permission to write the ACL or the ability to modify the ACL by using the
chmod command.
|
write_owner
|
o
|
Permission to change the file's owner or group. Or, the ability to execute the
chown or chgrp commands on the file.
Permission to take ownership of a file or permission to change the group ownership of the file
to a group of which the user is a member. If you want to change the file or group ownership to an
arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.
|
|
The following table provides additional details about ACL delete
and delete_child behavior.
Table 7-3 ACL delete and delete_child Permission Behavior
|
|
|
ACL allows delete
|
ACL denies delete
|
Delete permission unspecified
|
ACL allows delete_child
|
Permit
|
Permit
|
Permit
|
ACL denies delete_child
|
Permit
|
Deny
|
Deny
|
ACL allows only write and execute
|
Permit
|
Permit
|
Permit
|
ACL denies write and execute
|
Permit
|
Deny
|
Deny
|
|
ZFS ACL Sets
The following ACL combinations can be
applied in an ACL set rather than setting individual permissions separately.
The following ACL sets are available.
|
|
full_set
|
All permissions
|
modify_set
|
all permissions except write_acl and write_owner
|
read_set
|
read_data, read_attributes,
read_xattr, and read_acl
|
write_set
|
write_data, append_data,
write_attributes, and write_xattr
|
|
These ACL sets are prefined and cannot be modified.