Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008 Deployment Manual page 343

default:mask::r-x
default:other::---
As expected, the newly-created subdirectory mysubdir has the permissions from
the default ACL of the parent directory. The access ACL of mysubdir is an exact
reflection of the default ACL of mydir. The default ACL that this directory will
hand down to its subordinate objects is also the same.
3. Use touch to create a file in the mydir directory, for example, touch
mydir/myfile. ls -l mydir/myfile then shows:
-rw-r-----+ ... tux project3 ... mydir/myfile
The output of getfacl mydir/myfile is:
# file: mydir/myfile
# owner: tux
# group: project3
user::rw-
group::r-x
group:mascots:r-x
mask::r--
other::---
touch uses a mode with the value 0666 when creating new files, which means
that the files are created with read and write permissions for all user classes, pro-
vided no other restrictions exist in umask or in the default ACL (see
"Effects of a Default ACL"
sions not contained in the mode value are removed from the respective ACL entries.
Although no permissions were removed from the ACL entry of the group class,
the mask entry was modified to mask permissions not set in mode.
This approach ensures the smooth interaction of applications, such as compilers,
with ACLs. You can create files with restricted access permissions and subsequently
mark them as executable. The mask mechanism guarantees that the right users
and groups can execute them as desired.
13.4.4 The ACL Check Algorithm
A check algorithm is applied before any process or application is granted access to an
ACL-protected file system object. As a basic rule, the ACL entries are examined in the
following sequence: owner, named user, owning group or named group, and other. The
# effective:r--
# effective:r--
(page 325)). In effect, this means that all access permis-
Section
Access Control Lists in Linux 327