Access control list example and description

Edit online

The following is an example and description of access control lists (ACLs).

The following is an example of an ACL:

attributes: SUID
base permissions:
      owner(frank):  rw-
      group(system): r-x
      others: ---
extended permissions:
      enabled
        permit  rw-  u:dhs
        deny    r--  u:chas, g:system
        specify r--  u:john, g:gateway, g:mail
        permit  rw-  g:account, g:finance

The parts of the ACL and their meanings are the following:

  • The first line indicates that the setuid bit is turned on.
  • The next line, which introduces the base permissions, is optional.
  • The next three lines specify the base permissions. The owner and group names in parentheses are for information only. Changing these names does not alter the file owner or file group. Only the chown command and the chgrp command can change these file attributes.
  • The next line, which introduces the extended permissions, is optional.
  • The next line indicates that the extended permissions that follow are enabled.
  • The last four lines are the extended entries. The first extended entry grants user dhs read (r) and write (w) permission on the file.
  • The second extended entry denies read (r) access to user chas only when he is a member of the system group.
  • The third extended entry specifies that as long as user john is a member of both the gateway group and the mail group, has read (r) access. If user john is not a member of both groups, this extended permission does not apply.
  • The last extended entry grants any user in both the account group and the finance group read (r) and write (w) permission.
    Note: More than one extended entry can be applied to a process, with restrictive modes taking precedence over permissive modes.

    See the acledit command for the complete syntax.