Open System Services System Calls Reference Manual (G06.29+, H06.08+, J06.03+)
Miscellaneous acl(5)
— The default value for the NFSPERMMAP attribute, DISABLED, specifies that
all attempts by NFS clients to access OSS objects protected by ACLs that con-
tain optional ACL entries are denied. This behavior matches the behavior for
J06.08 and earlier J-series RVUs, H06.19 and earlier H-series RVUs, and G-
series RVUs.
For more information about NFS and ACLs, see "OSS Network File System (NFS) and
ACLs" later in this reference page.
Definitions
Control of access to data is a key concern of computer security. These definitions, based on the
Department of Defense Tr usted Computer System Evaluation Criteria, explain the concepts of
access control and its relevance to OSS security features:
access A specific type of interaction between a subject and an object that results in the
flow of information from one to the other. Subjects include persons, processes,
or devices that cause information to flow among objects or change the system
state. Objects include files (ordinary files, directories, special files, FIFOs, and so
on) and IPC features (shared memory, message queues, semaphores, and sock-
ets).
access control list (ACL)
An access control list is a set of user.group, mode entries associated with a file
that specifies permissions for all possible combinations of user IDs and group
IDs.
access control list (ACL) entry
An entry in an ACL that specifies access rights for a file owner, owning group,
group class, additional user, additional group, or all others.
change permission
The right to alter DAC information (permission bits or ACL entries). Change
permission is granted to object (file) owners and to privileged users.
discretionary access control (DAC)
A means of restricting access to objects based on the identity of subjects, groups
to which they belong, or both. The controls are discretionary because a subject
with a certain access permission is able to pass that permission (perhaps
indirectly) to any other subject.
mode Three bits in each ACL entry that represent read, write, and execute or search
permissions.
privilege The ability to ignore access restrictions and change restrictions imposed by secu-
rity policy and implemented in an access control mechanism. In OSS, the super
ID is the only user ID that can ignore access restrictions. However, the super ID
and any member of the Safeguard SECURITY-OSS-ADMINISTRATOR secu-
rity group can change the ownership and access permissions (standard UNIX
permissions or ACL entries) of a file.
Access Control List Entries
An ACL consists of a set of one-line entries that specify permissions for a file. Each entry
specifies for one user-ID or group-ID a set of access permissions, including read, write, and
execute/search.
To understand the relationship between access control lists and traditional file permissions, con-
sider the following file and its permissions:
527186-023 Hewlett-Packard Company 12−3