BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement

BSD Content

All Articles

Big Scary Daemons

Free BSD Basics

OpenBSD Explained

Securing Small Networks


BSD Topics

Administration

Application Development

Archiving

Community

Compatibility Issues

Email

Firewalls

FreeBSD

Getting Started

Kernel

NetBSD

Networking

OpenBSD

Security

Web Design and Development


ONLamp Subjects

Linux

Apache

MySQL

Perl

PHP

Python

BSD


Using FreeBSD's ACLs
Pages: 1, 2, 3, 4, 5, 6

Adding a User to a Directory ACL

If I go back to folder properties and add rob, will he have write access to folder/subfolder/ and folder/testfile? Good for you if you answered no. This change to the directory ACL will affect only subdirectories or files created after the change.

I also have a choice when I add rob. If I just double-click on rob, I give only rob access to the directory. In other words, I change the first type of ACL. However, if I first check the Default box and then double-click on rob, I change the second type of access, or affect rob's permissions on the subdirectories I create. I can actually add rob both ways. If the icon has a D over it, it affects subdirectories; if it doesn't, it affects access only to this directory.

For demonstration purposes, add both versions of rob and leave them with the default rwx permissions. To see the effect, create another test subdirectory and file:

% mkdir folder/subfolder2
% touch folder/testfile2

Figure 9 shows the effective ACLs. As expected, the default directory ACL, represented by the rob icon with a D, inherited rwx from the parent directory. Note that the access ACL, represented by the rob icon without a D, shows that w is an ineffective permission. In other words, because it represented access only to the parent directory, it doesn't give rob any inherited permissions on this subdirectory; therefore, rob is subject to the permissions any other user would be on this subdirectory. However, you can override this by checking the write box in the mask. If you do change the mask, double-check the other users on your screen to make sure you don't inadvertently give write access to a user who shouldn't have it.

effective ACLs
Figure 9. Effective ACLs

Once the explanation of the permissions in folder/subfolder2 makes sense to you, take a look at testfile2 as seen in Figure 10. Note that there isn't any rob icon with a D. This is because files don't inherit the default directory ACL. Because there isn't any current support for a default access ACL, rob doesn't inherit any permissions at all from either the directory or subdirectory and is subject to the same permissions as any other user. Again, the way to modify this is to modify the mask (remember, it represents the maximum possible permissions) and double-check that the new mask value doesn't give other users more permissions than you intend.

files and the default directory ACL
Figure 10. Files and the default directory ACL

Pages: 1, 2, 3, 4, 5, 6

Next Pagearrow

Recommended for You

Sponsored by: