Understanding ACL Masks
Look again at the bottom portion of Figure 2. Here, you can view the users
and groups on the system. Double-clicking on the user
add two items to the top portion, or Access Control List, of the screen as
shown in Figure 6.
Figure 6. Adding to a user's ACL
Note: Future versions of
eiciel will include a check box to
exclude system accounts.
Notice that the entries for
mask have full
rwx permissions, which is more than
dru has as the
owner of the file. What is happening here? By double-clicking on
rob, I added an ACL, which I can verify with a long listing on my
% ls -l drwx------ 2 dru dru 512 Jul 26 10:35 Desktop -rw-r--r-- 1 dru dru 0 Jul 27 9:22 file1 -rw-r--r-- 1 dru dru 0 Jul 27 9:22 myfile -rw-r--r--+ 1 dru dru 0 Jul 27 10:03 test
+ at the end of the permission set for
test? That indicates
that an ACL has been set on that file. I can view it with
% getfacl test #file:test #owner:1001 #group:1001 user::rw- user:rob:rwx group::r-- mask::rwx other::r--
That output is basically the text representation of Figure 6.
rwx, and what is this
mask entry? By
definition, an ACL mask determines the maximum allowable permissions. It's
worth doing two things to make sure you understand that fully.
First, uncheck the execute permission from the
rob entry. Note
that I can give
rob any combination of read, write, or execute
that I desire. From the perspective of the person using this GUI, she can simply
double-click on the user to add them, and uncheck the permissions she doesn't want
the user to have.
What happens if you change that
mask entry? Put
rob back as
rwx, but remove execute from
mask. As soon as you do that, the execute permission next to
rob, or any other user with execute, will display a red
exclamation mark. The GUI also displays a message that a red exclamation mark means "an ineffective permission."
This makes sense if you go back to the definition of an ACL mask. Now the
maximum allowable permission set is
rw, meaning that anyone who
appears to have execute really doesn't. While the GUI gives a nice visual,
getfacl will also indicate the effective permissions:
% getfacl test #file:test #owner:1001 #group:1001 user::rw- user:rob:rwx # effective: rw- group::r-- mask::rw- other::r--