BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Using FreeBSD's ACLs
Pages: 1, 2, 3, 4, 5, 6

Adding a User to a Directory ACL

If I go back to folder properties and add rob, will he have write access to folder/subfolder/ and folder/testfile? Good for you if you answered no. This change to the directory ACL will affect only subdirectories or files created after the change.

I also have a choice when I add rob. If I just double-click on rob, I give only rob access to the directory. In other words, I change the first type of ACL. However, if I first check the Default box and then double-click on rob, I change the second type of access, or affect rob's permissions on the subdirectories I create. I can actually add rob both ways. If the icon has a D over it, it affects subdirectories; if it doesn't, it affects access only to this directory.

For demonstration purposes, add both versions of rob and leave them with the default rwx permissions. To see the effect, create another test subdirectory and file:

% mkdir folder/subfolder2
% touch folder/testfile2

Figure 9 shows the effective ACLs. As expected, the default directory ACL, represented by the rob icon with a D, inherited rwx from the parent directory. Note that the access ACL, represented by the rob icon without a D, shows that w is an ineffective permission. In other words, because it represented access only to the parent directory, it doesn't give rob any inherited permissions on this subdirectory; therefore, rob is subject to the permissions any other user would be on this subdirectory. However, you can override this by checking the write box in the mask. If you do change the mask, double-check the other users on your screen to make sure you don't inadvertently give write access to a user who shouldn't have it.

effective ACLs
Figure 9. Effective ACLs

Once the explanation of the permissions in folder/subfolder2 makes sense to you, take a look at testfile2 as seen in Figure 10. Note that there isn't any rob icon with a D. This is because files don't inherit the default directory ACL. Because there isn't any current support for a default access ACL, rob doesn't inherit any permissions at all from either the directory or subdirectory and is subject to the same permissions as any other user. Again, the way to modify this is to modify the mask (remember, it represents the maximum possible permissions) and double-check that the new mask value doesn't give other users more permissions than you intend.

files and the default directory ACL
Figure 10. Files and the default directory ACL

Pages: 1, 2, 3, 4, 5, 6

Next Pagearrow

Sponsored by: