Open System Services System Calls Reference Manual (G06.29+, H06.08+, J06.03+)
acl(5) OSS System Calls Reference Manual
ACL Operations Supported
• The acl( ) system call sets, retrieves, or counts ACLs.
• The setacl command sets or modifies ACLs.
• The getacl command retrieves ACLs.
• The -acl option of the find command locates files with certain ACL properties.
• The cp, cpio -p, mv, and pax -rw commands copy ACLs with the source files to the des-
tination files.
• The Backup and Restore 2 utility backs up ACLs with the files on tape and restores
ACLs with the files back to disk.
ACL Interaction with stat(), chmod(), and chown()
stat() The st_mode field summarizes the access rights to the file. It differs from file per-
mission bits only if the file has one or more optional ACL entries. If one or more
optional ACL entries are present in the ACL of the file, the permissions specified
in the class entry of the ACL are returned as the permissions for group in the
st_mode field. Because of this behavior, programs that use the stat() or chmod()
functions and are ignorant of ACLs are more likely to produce expected results.
The st_acl field indicates the presence of optional ACL entries in the ACL for
the file. The st_basemode field provides the owning user permissions, owning
group permissions, and other permissions for the file.
chmod() Using the chmod() function to set the group permission bits affects the class:
entry for the file, which in turn affects the permissions granted by additional
user:uid: and group:gid: entries. In particular, using chmod() to set file per-
mission bits to all zeros removes all access to the file, regardless of permissions
granted by any additional user:uid: or group:gid: entries. If the chmod() func-
tion is used on an object that does not have optional ACL entries, both the class
ACL entry and the owning group ACL entry permission bits are changed to the
new group permissions value.
chown() If you use the chown() function to change the owner or owning group of a file to
a user ID or group ID that has an existing user:uid: or group:gid: entry in the
ACL for the file, those existing entries are not removed from the ACL. However,
those existing entries no longer have any effect, because the user:: or group::
entries take precedence.
OSS Network File System (NFS) and ACLs
For J06.09 and later J-series RVUs and H06.20 and later H-series RVUs, access by the OSS Net-
work File System (NFS) to OSS objects protected by ACLs that contain optional ACL entries can
be allowed, depending upon the NFSPERMMAP attribute value for the fileset that contains the
object.
The NFSPERMMAP attribute is an attribute of the OSS fileset and is set using Subsystem Con-
trol Facility (SCF) commands. For information about OSS SCF commands, see the Open Syst em
Services Management and Operations Guide.
NFS Version 2 (NFS V2) clients make their own access decisions based on their interpretation of
the permissions bits of the object. Because NFS Version 2 does not support ACLs, the ACL
entries must be mapped to the nine basic permissions bits (rwxrwxrwx) used for objects in NFS.
An
object that is protected by an ACL cannot reflect the correct access for all users in these nine
permission bits. It may be that access that would be granted by the mapped permission bits is
actually denied explicitly by the ACL. It may also be that access that seems to be denied by the
mapped permission bits is, in fact, granted explicitly by the ACL.
12−10 Hewlett-Packard Company 527186-023