Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

261

262

263

264

265

266

267

268

269

270

default:group:dos:---

default:group:tres:---

Access Check Algorithm

To determine the permissions granted to an accessing process, the operating system checks for

matching IDs in the following order:

1. If the EUID of the process is the same as the owner of the file, grant the permissions specified

in the user:: entry of the ACL. Otherwise, continue to the next check.

2. If the EUID matches the UID specified in one of the additional user:uid: ACL entries, grant

the permissions specified in that entry bitwise-ANDed with the permissions specified in the

class entry. Otherwise, continue to the next check.

3. If the EGID or a supplementary GID of the process matches the owning GID of the file or one

of the GIDs specified in any additional group:gid: ACL entries, grant the permissions

specified in the class entry bitwise-ANDed with the result of bitwise-ORing together all of

the permissions in all matching group entries. Otherwise, continue to the next check.

4. Grant the permissions specified in the other: ACL entry.

Because the checks are performed in this order and the ID match checking stops when a match is

found, you can use optional user or group ACL entries with restrictive permissions to deny access

to certain users or groups.

If the EGID, the supplementary GIDs of the process, or both match the GIDs of multiple group ACL

entries for a file, the process is granted the permissions of all of the matching group entries, restricted

by the permissions in the class entry. For example, assume that the effective user ID for a process

represents the user beta, and the group IDs for that process represent group membership only in

the dos and tres groups. In this example, that process is allowed to open the file /a/file with

read/write access, because the group:dos: entry granted read access, the group:tres: entry

granted write access, and the class: entry allowed read and write access.

# file: /a/file

# owner: creator_uid

# group: creator_gid

user::rw-

group::rw-

group:dos:r--

group:tres:-w-

class:rw-

other:r--

ACL Operations Supported

• The acl( ) system call sets, retrieves, or counts ACLs.

• The setacl command sets or modifies ACLs.

• The getacl command retrieves ACLs.

• The -acl option of the find command locates files with certain ACL properties.

• The cp, cpio -p, mv, and pax -rw commands copy ACLs with the source files to the

destination files.

• The Backup and Restore 2 utility backs up ACLs with the files on tape and restores ACLs with

the files back to disk.

ACL Interaction with stat()

The st_mode field summarizes the access rights to the file. It differs from file permission bits only

if the file has one or more optional ACL entries. If one or more optional ACL entries are present in

the ACL of the file, the permissions specified in the class entry of the ACL are returned as the

permissions for group in the st_mode field. Because of this behavior, programs that use the stat(

266 Managing OSS Security