Manualshelf

Open System Services System Calls Reference Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
1411141214131414141514161417141814191420
Miscellaneous acl(5)
user:gamma:r--
group::r-x
group:dos:---
group:tres:---
class:r-x
other:r-x
default:user:beta:r--
default:user:gamma:r--
default:group:dos:---
default:group:tres:---
Access Check Algorithm
To determine the permissions granted to an accessing process, the operating system checks for
matching IDs in the following order:
1. If the EUID of the process is the same as the owner of the file, grant the permissions
specified in the user:: entry of the ACL. Otherwise, continue to the next check.
2. If the EUID matches the UID specified in one of the additional user:uid: ACL entries,
grant the permissions specified in that entry bitwise-ANDed with the permissions
specified in the class entry. Otherwise, continue to the next check.
3. If the EGID or a supplementary GID of the process matches the owning GID of the file or
one of the GIDs specified in any additional group:gid: ACL entries, grant the permis-
sions specified in the class entry bitwise-ANDed with the result of bitwise-ORing
together all of the permissions in all matching group entries. Otherwise, continue to the
next check.
4. Grant the permissions specified in the other: ACL entry.
Because the checks are performed in this order and the ID match checking stops when a match is
found, you can use optional user or group ACL entries with restrictive permissions to deny
access to certain users or groups.
If the EGID, the supplementary GIDs of the process, or both match the GIDs of multiple group
ACL entries for a file, the process is granted the permissions of all of the matching group entries,
restricted by the permissions in the class entry. For example, assume that the effective user ID for
a process represents the user beta, and the group IDs for that process represent group member-
ship only in the dos and tres groups. In this example, that process is allowed to open the file
/a/file with read/write access, because the group:dos: entry granted read access, the group:tres:
entry granted write access, and the class: entry allowed read and write access.
# file: /a/file
# owner: creator_uid
# group: creator_gid
user::rw-
group::rw-
group:dos:r--
group:tres:-w-
class:rw-
other:r--
527186-023 Hewlett-Packard Company 129