Access control list example and description
The following is an example and description of access control lists (ACLs).
The following is an example of an ACL:
attributes: SUID
base permissions:
owner(frank): rw-
group(system): r-x
others: ---
extended permissions:
enabled
permit rw- u:dhs
deny r-- u:chas, g:system
specify r-- u:john, g:gateway, g:mail
permit rw- g:account, g:finance
The parts of the ACL and their meanings are the following:
- The first line indicates that the setuid bit is turned on.
- The next line, which introduces the base permissions, is optional.
- The next three lines specify the base permissions. The owner and group names in parentheses are for information only. Changing these names does not alter the file owner or file group. Only the chown command and the chgrp command can change these file attributes.
- The next line, which introduces the extended permissions, is optional.
- The next line indicates that the extended permissions that follow are enabled.
- The last four lines are the extended entries. The first extended entry
grants user
dhs
read (r
) and write (w
) permission on the file. - The second extended entry denies read (
r
) access to userchas
only when he is a member of thesystem
group. - The third extended entry specifies that as long as user
john
is a member of both thegateway
group and themail
group, has read (r
) access. If userjohn
is not a member of both groups, this extended permission does not apply. - The last extended entry grants any user in both the
account
group and thefinance
group read (r
) and write (w
) permission.Note: More than one extended entry can be applied to a process, with restrictive modes taking precedence over permissive modes.See the acledit command for the complete syntax.