 |
» |
|
|
|
You set HFS ACL permissions with the chacl command and display them with the lsacl command.
See Example 6-1. | | | |  | IMPORTANT: You must use chmod with the -A option when working with files that have HFS ACL permissions
assigned. Without the -A option, chmod will delete the ACL permissions from the file. The syntax is: | | | | |
The chacl command is a superset
of the chmod command. Any specific permissions
you assign with the chacl command are added to
the more general permissions assigned with the chmod command. When a file has ACLs, the ll command displays a plus sign (+) after the permission string. If a user.group matches more than one HFS ACL entry,
the more specific entry takes precedence. See Example 6-2. Example 6-1 Creating an HFS ACL In this example, the chmod command
restricts write permissions for myfile to only
the user, allan. The chmod command also deletes any previous HFS ACLs. $ chmod 644 myfile
$ ll myfile
-rw-r--r-- 1 allan users 0 Sep 21 16:56 myfile
$ lsacl myfile
(allan.%,rw-)(%.users,r--)(%.%,r--) myfile |
The lsacl command displays just
the default (no ACL) values, corresponding to the basic owner, group,
and other permissions. The chacl command gives read
and write access to myfile to another user. $ chacl 'naomi.users=rw' myfile
$ ll myfile
-rw-r--r--+ 1 allan users 0 Sep 21 16:56 myfile
$ lsacl myfile
(naomi.users,rw-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile |
Notice two things: the ll permissions
display has a + appended, indicating that ACLs
exist and that the ll permissions string did not
change. The additional entry in the lsacl display
specifies that user naomi in group users has read and write access to myfile. Example 6-2 Multiple HFS ACL Matches If a user's user.group combination matches more
than one ACL entry, the most specific entry takes precedence. In this
example, first set the file permissions. Use the chacl command on myfile to add a write-only entry for user naomi: $ chacl naomi.%=w myfile
$ lsacl myfile
(naomi.%,-w-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile |
Now, user naomi has write access
to file myfile, using the ACL defined for naomi.%, but does not have read access to the file because naomi.% takes precedence over the ACLs defined for %.users and %.%. The lsaclcommand displays the
HFS ACLs in decreasing order of specificity. That is, permission matches
are attempted from left to right. HFS ACLs and HP-UX Commands and Calls | |
The following commands and system calls work with
ACLs on HFS file systems: Table 6-2 HFS ACL Commands | Commands | Description |
|---|
chacl | Changes HFS ACLs of files. | getaccess | Lists user's
access rights to files. | lsacl | Lists HFS ACLs of files. |
Table 6-3 HFS ACL System Calls | System Call | Description |
|---|
getaccess() | Gets a user's
effective access rights to a file. | getacl(), fgetacl() | Gets HFS ACL information. | setacl(), fsetacl() | Sets HFS ACL information. | acltostr() | Converts HFS ACL
structure to string form. | chownacl() | Changes the owner
or group represented in an HFS file's ACL. | cpacl(), fcpacl() | Copies HFS ACL and mode bits from one file to another. | setaclentry(), fsetaclentry() | Adds, modifies, or deletes an HFS file's ACL
entry. | strtoacl() | Parses and converts
HFS ACL structure to string form. | strtoaclpatt() | Parses and converts
HFS ACL pattern strings to arrays. |
The following commands, system calls, and subroutine
libraries affect ACL entries, sometimes in unexpected ways. Table 6-4 Commands and Calls Affecting ACL Entries | Command or Call | Description |
|---|
chmod | Deletes HFS ACLs by default.
Use the -A option to retain HFS ACLs. | chmod() | Deletes HFS ACL
entries. Use getacl() and setacl() to save and restore the HFS ACL entries. | cpset | Does not set a file's
optional ACL entries. | find | Identifies files whose ACL entries
match or include specific ACL patterns on HFS or JFS file systems. | ls -l | The long form indicates the
existence of ACLs by displaying a plus sign (+)
after the file's permission bits. | mailx | Does not support optional ACL
entries on /var/mail/* files. | compact, compress, cp, ed, pack, unpack | Copies ACL entries to the new files
they create. | frecover, fbackup | Use only these commands to selectively recover and back up files.
Use the -A option when backing up from an ACL system
for recovery on a system that does not support ACLs. | ar, cpio, ftio, shar, tar, dump, restore | These commands do not
retain ACLs when archiving and restoring. They use the st_mode value returned by stat(). | rcs, sccs | These commands
do not support ACLs. |
HFS access control lists use additional “continuation inodes” when creating new file systems. Consider
them when using the following commands: fsck: Returns the number of files with ACL entries as a value
for icont. Use the -p option
to clear unreferenced continuation inodes. See fsck(1M). diskusg, ncheck: Ignores continuation inodes. See diskusg(1M) and ncheck(1M). mkfs:
Allows for continuation inodes on new disks. See mkfs(1M).
|
Printable version
