----------------------------------------------------------------------- This is basically a stripped down version of various manpages: credentials(7) ACL(5) tools: ls, stat, getfacl, setfacl, chmod, umask mkdir, mkfifo, mknod, mount ----------------------------------------------------------------------- memo - file mode creation mask - ACL permission bits - sticky bit (t) ----------------------------------------------------------------------- "clasic" UNIX ACL: Subjects: this, group, others Permissions: read, write, execute limitations .. many - `sudo` won't work, as there is no `SETUID` bit ----------------------------------------------------------------------- ACL Entry Form: (type, qualifier, permissions) POSIX ACL Entry types (Subjects) USER_OBJ rights for the file owner. USER rights for users identified by entry's qualifier ACL_GROUP_OBJ rights for the file group. GROUP rights for groups identified by entry's qualifier MASK maximum rights that can be granted by USER, GROUP_OBJ or GROUP ACL_OTHER rights for processes that do not match any above. Constrains: A valid ACL contains exactly - one ACL_USER_OBJ (owner) entry - one ACL_GROUP_OBJ (group) entry - one ACL_OTHER (others) entry ACL_USER and ACL_GROUP entries can appear zero or multiple times. User IDs and group IDs must be unique respectively. ACL_MASK is optional if ACL contains no ACL_USER or ACL_GROUP Mapping ACL entries and permission bits Owner -> USER_OBJ Group -> GROUP_OBJ, if MASK is set then MASK. Others -> OTHER Default ACLs : see ACL(5) ----------------------------------------------------------------------- Access Check A process may request read, write, or execute/search access to a file object protected by an ACL. The access check algorithm determines whether access to the object will be granted. 1. If the effective user ID of the process matches the user ID of the file object owner, then if the ACL_USER_OBJ entry contains the requested permissions, access is granted, else access is denied. 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted, else access is denied. 3. else if the effective group ID or any of the supplementary group IDs of the process match the file group or the qualifier of any entry of type ACL_GROUP, then if the ACL contains an ACL_MASK entry, then if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain the requested permissions, access is granted, else access is denied. else (note that there can be no ACL_GROUP entries without an ACL_MASK entry) if the ACL_GROUP_OBJ entry contains the requested permissions, access is granted, else access is denied. 4. else if the ACL_OTHER entry contains the requested permissions, access is granted. 5. else access is denied. ----------------------------------------------------------------------- execute-bit on directory e.g. drw- r-- r-- shrik3:shrik3 test/ rw- r-- r-- shrik3:shrik3 |_ hello.txt rwx r-x r-x shrik3:shrik3 |_ meow unsetting the x bit on the directory effectively ----------------------------------------------------------------------- POSIX ACL : masks ----------------------------------------------------------------------- POSIX ACL : setuid bit ----------------------------------------------------------------------- CAVEAT: privileged users (including owner) can modify the ACL bits regardless of its bits ----------------------------------------------------------------------- Terms: effective {group, user} ID POSIX APIs real: {get,set}gid {get,set}uid effective: {get,set}egid {get,set}euid real-and-effective {get,set}reuid {get,set}regid