Administrator's Guide
5.4.8 Example of Changing a Minimal JFS ACL
To illustrate the function of the JFS ACL class entry, this section describes how chmod
and setacl affect a file with a minimal JFS ACL and a file with group class entries.
NOTE: Further details about the use of the getacl and setacl commands are in
Section 5.4.10. Refer also to getacl(1) and setacl(1).
Consider a file, exfile, with read-only (444) permissions and a minimal JFS ACL. The
ls -l command shows the permissions for exfile:
$ ls -l exfile
-r--r--r-- 1 jsmith users 12 Sep 20 15:02 exfile
The getacl command lists the following output for exfile, which is a minimal JFS
ACL:
$ getacl exfile
# file: exfile
# owner: jsmith
# group: users
user::r--
group::r--
class:r--
other:r--
Using the chmod command to add write permissions to exfile changes both the owning
group and the class ACL entries. For example, look at the getacl command output:
$ chmod 666 exfile
$ getacl exfile
# file: exfile
# owner: jsmith
# group: users
user::rw-
group::rw-
class:rw-
other:rw-
Now add additional user and group entries, that will affect the class ACL entry but not
the owning group entry. The first setacl command that follows grants read-only
permission to user guest; the other ACL entries are unaffected. However, the second
setacl command grants read-execute permissions to the group dev, and the upper
bound on permissions (the class entry) is extended to include execute permission.
$ setacl -m u:guest:r-- exfile
$ setacl -m g:dev:r-x exfile
$ getacl exfile# file: exfile
# owner: jsmith
# group: users
user::rw-
user:guest:r--
group::rw-
98 File System Security