Table of Contents
Discretionary Access Control Lists
This document describes
access control lists, as implemented under Linux. So far, access control
lists (ACLs) are used to define access to files and directories. The types
and constants of the C programming language interface are defined in <sys/acl.h>.
An access control list contains a number of
entries of various types. Each entry stands for permissions granted to a
user, or to a group of users. The folowing type represents an ACL entry
in a C program:
typedef struct {
int a_type;
uid_t a_id;
mode_t a_perm;
} acl_entry_t;
An ACL may contain entries with a_type set to one of the following constants.
ACL_USER_OBJ (owner)
ACL_USER (named user)
ACL_GROUP_OBJ (owning group)
ACL_GROUP (named group)
ACL_MASK_OBJ (effective rights mask)
ACL_OTHER_OBJ (other users)
The ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER_OBJ entries correspond
to the traditional rights defined in the file mode. There is exactly one
each of these entries in each valid ACL.
ACL_USER and ACL_GROUP entries
define explicit rights for users and groups, respectively. For entries of
these two types, a_id is set to the ID of the user or group in question.
Whenever there are any entries of the last two types in the ACL, an ACL_MASK_OBJ
entry is also required.
An ACL_MASK_OBJ entry limits the effective rights
granted to named users or groups. The efective rights granted are those
that are both granted by the user's or group's entry, and by the ACL_MASK_OBJ
entry.
The lowest three bits of a_perm define the rights granted to the
user the entry applies to, just like the bits in the traditional file mode.
This results in a value between 0 and 7 (from 0 standing for no access
to 7 standing for read, write, and execute access).
Each valid ACL has as a minimum the three required base entries ACL_USER_OBJ,
ACL_GROUP_OBJ, and ACL_OTHER_OBJ. These entries correspond to the traditional
Posix permission bits. There must be exactly one each of these three entries.
The permission mask `rw-r-----' corresponds to the following entries:
u::rw- (ACL_USER_OBJ entry)
g::r-- (ACL_GROUP_OBJ entry)
o:--- (ACL_OTHER_OBJ entry)
An ACL must also contain exactly one ACL_MASK_OBJ entry, if it contains
additional ACL_USER or ACL_GROUP entries. For each user or group, there
must be at most one ACL_USER or ACL_GROUP entry per access control list.
u:joe:rw- (ACL_USER entry)
g:webteam:rw- (ACL_GROUP entry)
m:rw- (ACL_MASK_OBJ entry)
An access control list that contains ACL_USER or
ACL_GROUP entries also contains an ACL_MASK_OBJ entry, the purpose of which
is to limit the effective rights granted to groups and named users in the
ACL. The effective rights granted to a user or a group with an ACL_USER
or an ACL_GROUP entry are those which are listed in both the ACL_USER or
ACL_GROUP entry and the ACL_MASK_OBJ entry, respectively. The ACL_USER_OBJ
and ACL_OTHER_OBJ entries are not affected by the ACL_MASK_OBJ entry.
When a process requests read, write, or execute/search access to
a file, the following algorithm determines whether access is granted or
not.
- If the user is the file owner, then
access is granted only if the ACL_USER_OBJ contains the requested permissions.
- If the ACL contains a named user entry that matches the user (ACL_USER),
then:
- If access is granted by that entry, go to step (2) below.
- Otherwise,
access is denied.
- If the user is in the owning group of the file (ACL_GROUP_OBJ),
or is member in any named groups (ACL_GROUP), then:
- If these groups contais
the requested permissions combined, then go to step (2) below.
- Otherwise,
access is denied.
- If neither of the above rules match, then
- If the ACL_OTHER_OBJ
entry contains the requested permissions, access is granted.
- Otherwise,
access is denied.
- If the access mask (ACL_MASK_OBJ)
also contains the requested permissions, then access is granted.
- Otherwise,
access is denied.
Directories may have a default
ACL, in addition to the regular ACL. While the purpose of the regular ACL
is to control access to a file or directory, the purpose of the default
ACL is to control access to files which are created inside the directory.
When a file is created, a create mask is specified that determines the
maximum access rights to the file. This usually is 0666 of files, and 0777
for directories.
Traditionally, the effective access rights to new files
are determined by combining the umask and the create mask. The default ACL
replaces the role of the umask. The following steps are taken when a file
is created inside a directory which has a default ACL:
- The new file inherits
the directory's default ACL as its access ACL.
- The permissions in each entry
of the new file's access ACL are modified in the following way:
- The ACL_USER
entry is set to the union of the value determied by the default ACL and
the user part of the create mask.
- The ACL_OTHER entry is set to the union
of the value determined by the default ACL and the other part of the create
mask.
- All other entries are set to the union of the value determined by
the default ACL and the group part of the create mask.
- If the new file is
a directory, it inherits the parent directory's default ACL as its own default
ACL.
For directories without a default ACL, the umask is used to determine
effective permissions, `as usual'.
Andreas Gruenbacher, <a.gruenbacher@computer.org>.
Please send your bug reports, suggested features and comments to the above
address.
getfacl(1), setfacl(1), chmod(1), umask(1), acl(2)
Table of Contents