Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

261

262

263

264

265

266

267

268

269

270

Base ACL Entries

The base ACL entries grant permissions equivalent to standard UNIX permissions. When an ACL

consists of the four base ACL entries only, it is called a minimal ACL, and the permissions for the

class and other ACL entries are equal. The chmod() and acl() functions can change base ACL

entries.

Table 40 Base ACL Entries

DescriptionEntry TypeNotation

Permissions for the owner of the objectUSER_OBJuser::perm

Permissions for the owning group of the objectGROUP_OBJgroup::perm

The maximum permissions granted to the file group classCLASS_OBJclass:perm

Permissions for other usersOTHER_OBJother:perm

Class Entry

The class ACL entry, which is a base ACL entry, was created to preserve compatibility with programs

that only use chmod(). Because of the class ACL entry, existing programs that use chmod() can

work with file that have ACL entries for optional users and optional groups in addition to the owning

group.

The class entry acts as an upper bound for file permissions. In an ACL that contains optional group

entries or optional user entries, the class entry specifies the maximum permissions that can be

granted to:

• Members of the owning group

• Any additional user entries (optional users)

• Any additional group entries (members of any optional groups)

The class entry is useful because it allows you to restrict the permissions for all of the other ACL

entries by changing only one ACL entry. If optional user or optional group ACL entries are

present, the chmod command changes the permissions of the class ACL entry instead of the

permissions of the owning group. This behavior allows programs that use the chmod command to

support files or directories that have permissions for additional users and groups.

Optional ACL Entries

Optional ACL entries are ACL entries other than the base ACL entries. Optional ACL entries grant

permissions beyond the standard UNIX permissions and can be used to further allow or deny

access to the file. A file or directory is considered to have an ACL only if optional ACLs are present.

In OSS, you can specify up to 146 optional ACL entries in an ACL. You use the setacl command

or the acl() system call to set ACL entries.

Table 41 Actual (Nondefault) Optional ACL Entries

DescriptionEntry TypeNotation

Permissions for the user specified by uidUSERuser:uid:perm

Permissions for the group specified by gidGROUPgroup:gid:perm

Examples of actual optional ACL entries:

u:mary:rwx

Grant read, write, and execute access to the user mary.

user:george:---

Deny access to the user george.

262 Managing OSS Security