Table of Contents

Name

Discretionary Access Control Lists

Description

This document describes access control lists, as implemented under Linux. So far, access control lists (ACLs) are used to define access to files and directories. The types and constants of the C programming language interface are defined in <sys/acl.h>.

Access Control List Entries

An access control list contains a number of entries of various types. Each entry stands for permissions granted to a user, or to a group of users. The folowing type represents an ACL entry in a C program:


typedef struct {
    int     a_type;
    uid_t   a_id;
    mode_t  a_perm;
} acl_entry_t;

An ACL may contain entries with a_type set to one of the following constants.


ACL_USER_OBJ         (owner)
ACL_USER             (named user)
ACL_GROUP_OBJ        (owning group)
ACL_GROUP            (named group)
ACL_MASK_OBJ         (effective rights mask)
ACL_OTHER_OBJ        (other users)

The ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER_OBJ entries correspond to the traditional rights defined in the file mode. There is exactly one each of these entries in each valid ACL.

ACL_USER and ACL_GROUP entries define explicit rights for users and groups, respectively. For entries of these two types, a_id is set to the ID of the user or group in question. Whenever there are any entries of the last two types in the ACL, an ACL_MASK_OBJ entry is also required.

An ACL_MASK_OBJ entry limits the effective rights granted to named users or groups. The efective rights granted are those that are both granted by the user's or group's entry, and by the ACL_MASK_OBJ entry.

The lowest three bits of a_perm define the rights granted to the user the entry applies to, just like the bits in the traditional file mode. This results in a value between 0 and 7 (from 0 standing for no access to 7 standing for read, write, and execute access).

Valid Access Control Lists

Each valid ACL has as a minimum the three required base entries ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER_OBJ. These entries correspond to the traditional Posix permission bits. There must be exactly one each of these three entries. The permission mask `rw-r-----' corresponds to the following entries:


    u::rw- (ACL_USER_OBJ entry)
    g::r-- (ACL_GROUP_OBJ entry)
    o:---  (ACL_OTHER_OBJ entry)

An ACL must also contain exactly one ACL_MASK_OBJ entry, if it contains additional ACL_USER or ACL_GROUP entries. For each user or group, there must be at most one ACL_USER or ACL_GROUP entry per access control list.


    u:joe:rw- (ACL_USER entry)
    g:webteam:rw- (ACL_GROUP entry)
    m:rw- (ACL_MASK_OBJ entry)

the Acl_mask_obj Entry

An access control list that contains ACL_USER or ACL_GROUP entries also contains an ACL_MASK_OBJ entry, the purpose of which is to limit the effective rights granted to groups and named users in the ACL. The effective rights granted to a user or a group with an ACL_USER or an ACL_GROUP entry are those which are listed in both the ACL_USER or ACL_GROUP entry and the ACL_MASK_OBJ entry, respectively. The ACL_USER_OBJ and ACL_OTHER_OBJ entries are not affected by the ACL_MASK_OBJ entry.

Determining Access

When a process requests read, write, or execute/search access to a file, the following algorithm determines whether access is granted or not.

(1) "Find a matching ACL entry"

(2) Check the access mask

Default Access Control Lists

Directories may have a default ACL, in addition to the regular ACL. While the purpose of the regular ACL is to control access to a file or directory, the purpose of the default ACL is to control access to files which are created inside the directory.

When a file is created, a create mask is specified that determines the maximum access rights to the file. This usually is 0666 of files, and 0777 for directories.

Traditionally, the effective access rights to new files are determined by combining the umask and the create mask. The default ACL replaces the role of the umask. The following steps are taken when a file is created inside a directory which has a default ACL:

For directories without a default ACL, the umask is used to determine effective permissions, `as usual'.

Author

Andreas Gruenbacher, <a.gruenbacher@computer.org>.

Please send your bug reports, suggested features and comments to the above address.

See Also

getfacl(1), setfacl(1), chmod(1), umask(1), acl(2)


Table of Contents