Understanding file protection

Changing the access control list of a file

If you are user_1 (the owner of the file junk used in examples earlier in this section), you can provide read access for junk to an additional user by adding an entry to the ACL naming that user and specifying read access. You do this with the setacl(1) command. For example, the following command gives user archer read-only access to the file:

   setacl -r -m u:archer:r-- junk

The -m option indicates that you are adding an entry to the ACL. The -r automatically recalculates the class entry for you, so that any permissions that you specify will actually be granted.

You can add group-specific entries in just the same way. For example, to grant read and write access to everyone in the group judges, type the following:

   setacl -r -m g:judges:rw- junk

The -m (modify) option can be used to change an existing entry as well as add a new one. If an entry already exists for the specified user or group, the permissions for that entry are set to the values specified on the command line.

There is also a -d option, to delete an entry. When the -d option is specified, you do not specify any permissions in the ACL entry. For example, the following command deletes an entry for the group judges:

   setacl -r -d g:judges junk

Any number of entries may be added using the -m option.

If you are adding or changing several entries, you will probably want to use a different procedure. You can save the ACL to a file, edit it, adding, changing, or deleting entries to produce whatever ACL you want, and then apply this new ACL to the file. For example, you could save the ACL to a file with this command:

   getacl junk > junk.acl

Then you could edit it so that it appeared as in ``A complex ACL''.

# file: junk
# owner: user_1
# group: group_1
user::rw-
user:user_2:r--
user:user_3:r--
user:user_4:---
group::rw-
group:group_2:r--
group:group_3:r--
group:group_4:---
group:group_5:rw-
class:rw-
other:r--

A complex ACL

This ACL can now be applied to the file by using the -f option of the setacl command as follows:

   setacl -r -f junk.acl junk

In this example several changes have been made. While before the ACL entries only granted access to people, now they are also used to deny access as well. Note specifically the entries for user user_4 and group group_4.

ACLs are implemented through the secure filesystem type, sfs. They are also supported in the Veritas filesystem type, vxfs. See ``Managing filesystem types'' for more information on filesystem types.