BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Using FreeBSD's ACLs
Pages: 1, 2, 3, 4, 5, 6

Understanding ACL Masks

Look again at the bottom portion of Figure 2. Here, you can view the users and groups on the system. Double-clicking on the user rob will add two items to the top portion, or Access Control List, of the screen as shown in Figure 6.



adding to a user's ACL
Figure 6. Adding to a user's ACL

Note: Future versions of eiciel will include a check box to exclude system accounts.

Notice that the entries for rob and mask have full rwx permissions, which is more than dru has as the owner of the file. What is happening here? By double-clicking on rob, I added an ACL, which I can verify with a long listing on my home directory:

% ls -l
drwx------  2 dru  dru   512 Jul 26 10:35 Desktop
-rw-r--r--  1 dru  dru     0 Jul 27  9:22 file1
-rw-r--r--  1 dru  dru     0 Jul 27  9:22 myfile
-rw-r--r--+ 1 dru  dru     0 Jul 27 10:03 test

See that + at the end of the permission set for test? That indicates that an ACL has been set on that file. I can view it with getfacl:

% getfacl test
#file:test
#owner:1001
#group:1001
user::rw-
user:rob:rwx
group::r--
mask::rwx
other::r--

That output is basically the text representation of Figure 6.

Why did rob get rwx, and what is this mask entry? By definition, an ACL mask determines the maximum allowable permissions. It's worth doing two things to make sure you understand that fully.

First, uncheck the execute permission from the rob entry. Note that I can give rob any combination of read, write, or execute that I desire. From the perspective of the person using this GUI, she can simply double-click on the user to add them, and uncheck the permissions she doesn't want the user to have.

What happens if you change that mask entry? Put rob back as rwx, but remove execute from mask. As soon as you do that, the execute permission next to rob, or any other user with execute, will display a red exclamation mark. The GUI also displays a message that a red exclamation mark means "an ineffective permission."

This makes sense if you go back to the definition of an ACL mask. Now the maximum allowable permission set is rw, meaning that anyone who appears to have execute really doesn't. While the GUI gives a nice visual, getfacl will also indicate the effective permissions:

% getfacl test
#file:test
#owner:1001
#group:1001
user::rw-
user:rob:rwx	# effective: rw-
group::r--
mask::rw-
other::r--

Pages: 1, 2, 3, 4, 5, 6

Next Pagearrow





Sponsored by: