Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
81828384858687888990
OSS System Security
Security Management Guide522283-008
4-5
Access Control Lists
An ACL entry prefixed with d: or default:, can only occur in a directory's ACL. This
ACL indicates that the remainder of the entry cannot be used in determining the
access rights to the directory, instead it can be applied to any files or subdirectories
created in the directory.
The uid and gid fields contain either numeric user or group IDs, or their corresponding
character strings from the system's user authentication database and group database.
The perm field indicates access permission either in symbolic form, as a combination
of r, w, x and - or numeric form, as an octal value of 0 through 7 representing the sum
of 2 for read permission, 4 for write permission, and 1 for execute permission.
Base ACL Entries
When a file is created, four base access control list entries are mapped from the file's
access permission bits to match a file's owner and group, and its traditional permission
bits. This is known as a ''minimal ACL''. Base ACL entries can be changed by the
chmod(2) and acl(2) system calls.
u::perm Base ACL entry for the file's owner
g::perm Base ACL entry for the file's group
c::perm Base ACL entry for the file's group class
o::perm Base ACL entry for others
When an ACL is minimal, that is, it has no optional ACL entries, then the group and
class permissions are exactly equal.
Optional ACL Entries
Optional access control list entries contain additional access control information, which
the user can set with the acl(2) system call to further allow or deny the file access. In
OSS, up to 146 optional ACL entries can be specified.
Class Entries
In case of optional ACL entries, the class entry specifies the maximum permissions
that can be granted by any of the additional user and group entries. If a particular
permission is not granted in the class entry, then it cannot be granted by any ACL
entries (except for the first user [owner] entry and the other entry). Any permission can
be denied to a particular user or group. The class entry acts as a upper bound for file
permissions.
If there are optional entries in the ACL, the class entry will no longer necessarily equal
the value of the permission for the owning group as reported by ls -l. This feature is
useful because it means that the chmod(1) command can usefully affect the
permissions of a file that has additional ACL entries.