Using FreeBSD's ACLs
Pages: 1, 2, 3, 4, 5, 6
Understanding ACL Masks
Look again at the bottom portion of Figure 2. Here, you can view the users
and groups on the system. Double-clicking on the user rob
will
add two items to the top portion, or Access Control List, of the screen as
shown in Figure 6.
Figure 6.
Adding to a user's ACL
Note: Future versions of eiciel
will include a check box to
exclude system accounts.
Notice that the entries for rob
and mask
have full
rwx
permissions, which is more than dru
has as the
owner of the file. What is happening here? By double-clicking on
rob
, I added an ACL, which I can verify with a long listing on my
home directory:
% ls -l
drwx------ 2 dru dru 512 Jul 26 10:35 Desktop
-rw-r--r-- 1 dru dru 0 Jul 27 9:22 file1
-rw-r--r-- 1 dru dru 0 Jul 27 9:22 myfile
-rw-r--r--+ 1 dru dru 0 Jul 27 10:03 test
See that +
at the end of the permission set for test
? That indicates
that an ACL has been set on that file. I can view it with
getfacl
:
% getfacl test
#file:test
#owner:1001
#group:1001
user::rw-
user:rob:rwx
group::r--
mask::rwx
other::r--
That output is basically the text representation of Figure 6.
Why did rob
get rwx
, and what is this mask
entry? By
definition, an ACL mask determines the maximum allowable permissions. It's
worth doing two things to make sure you understand that fully.
First, uncheck the execute permission from the rob
entry. Note
that I can give rob
any combination of read, write, or execute
that I desire. From the perspective of the person using this GUI, she can simply
double-click on the user to add them, and uncheck the permissions she doesn't want
the user to have.
What happens if you change that mask
entry? Put
rob
back as rwx
, but remove execute from
mask
. As soon as you do that, the execute permission next to
rob
, or any other user with execute, will display a red
exclamation mark. The GUI also displays a message that a red exclamation mark means "an ineffective permission."
This makes sense if you go back to the definition of an ACL mask. Now the
maximum allowable permission set is rw
, meaning that anyone who
appears to have execute really doesn't. While the GUI gives a nice visual,
getfacl
will also indicate the effective permissions:
% getfacl test
#file:test
#owner:1001
#group:1001
user::rw-
user:rob:rwx # effective: rw-
group::r--
mask::rw-
other::r--
