Open System Services Programmer's Guide
For security reasons, if an ACL contains default ACL entries, all of the default base ACL entries
should be provided. During ACL inheritance, if any default base ACL entries are missing, the
permissions for the missing default base ACL entries are derived as follows:
Derived FromPermissions Type
The complement of the umaskuser permissionsDEF_USER_OBJ permissions
The complement of the umaskgroup permissionsDEF_GROUP_OBJ
permissions
The complement of the umaskgroup permissionsDEF_CLASS_OBJ
permissions
The complement of the umaskother permissionsDEF_OTHER_OBJ
permissions
Examples of ACL Inheritance
Directory /a has the following ACL, as reported by the getacl command:
# file: /a
# owner: alpha
# group: uno
user::rwx
group::rwx
class:rwx
other:rwx
default:user:beta:r--
default:user:gamma:r--
default:group:dos:---
default:group:tres:---
In this example, the ACL for a new file created in the directory /a includes the default ACL entries
for directory /a as actual (nondefault) ACL entries:
# file: /a/newfile
# owner: creator_uid
# group: creator_gid
user::rwuser:
beta:r--
user:gamma:r--
group::r--
group:dos:---
group:tres:---
class:r--
other:r--
In this example, a new directory, dir is created in the /a directory. The default ACL entries of the
parent directory, /a, are added to the ACL of the new subdirectory twice: first as actual (nondefault)
ACL entries and second as the default ACL entries. This behavior ensures that default ACLs propagate
downward as trees of directories are created. This example shows the ACL of the new directory,
dir:
# file: /a/dir
# owner: creator_uid
# group: creator_gid
user::rwx
user:beta:r--
user:gamma:r--
group::r-x
group:dos:---
group:tres:---
class:r-x
other:r-x
default:user:beta:r--
default:user:gamma:r--
Using OSS Access Control Lists (ACLs) 265