Open System Services System Calls Reference Manual (G06.28+, H06.05+)
acl(5) OSS System Calls Reference Manual
other:rwx
default:user:beta:r--
default:user:gamma:r--
default:group:dos:---
default:group:tres:---
In this example, the ACL for a new file created in the directory /a includes the default ACL
entries for directory /a as actual (nondefault) ACL entries:
# file: /a/newfile
# owner: creator_uid
# group: creator_gid
user::rw-
user:beta:r--
user:gamma:r--
group::r--
group:dos:---
group:tres:---
class:r--
other:r--
In this example, a new directory, dir is created in the /a directory. The default ACL entries of the
parent directory, /a, are added to the ACL of the new subdirectory twice, first as actual (nonde-
fault) ACL entries and second as the default ACL entries. This behavior ensures that default
ACLs propagate downward as trees of directories are created. This example shows the ACL of
the new directory, dir:
# file: /a/dir
# owner: creator_uid
# group: creator_gid
user::rwx
user:beta:r--
user:gamma:r--
group::r-x
group:dos:---
group:tres:---
class:r-x
other:r-x
default:user:beta:r--
default:user:gamma:r--
default:group:dos:---
default:group:tres:---
Access Check Algorithm
To determine the permissions granted to an accessing process, the operating system checks for
matching IDs in the following order:
1. If the EUID of the process is the same as the owner of the file, grant the permissions
specified in the user:: entry of the ACL. Otherwise, continue to the next check.
2. If the EUID matches the UID specified in one of the additional user:uid: ACL entries,
grant the permissions specified in that entry bitwise-ANDed with the permissions
specified in the class entry. Otherwise, continue to the next check.
3. If the EGID or a supplementary GID of the process matches the owning GID of the file or
one of the GIDs specified in any additional group:gid: ACL entries, grant the
12−8 Hewlett-Packard Company 527186-007