Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 115

2. In the next example, use mkdir to create a subdirectory in mydir, which inherits
the default ACL.
mkdir mydir/mysubdir
getfacl mydir/mysubdir
# file: mydir/mysubdir
# owner: tux
# group: project3
user::rwx
group::r-x
group:mascots:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:mascots:r-x
default:mask::r-x
default:other::---
As expected, the newly-created subdirectory mysubdir has the permissions from
the default ACL of the parent directory. The access ACL of mysubdir is an exact
reflection of the default ACL of mydir. The default ACL that this directory will
hand down to its subordinate objects is also the same.
3. Use touch to create a file in the mydir directory, for example, touch
mydir/myfile. ls -l mydir/myfile then shows:
-rw-r-----+ ... tux project3 ... mydir/myfile
The output of getfacl mydir/myfile is:
# file: mydir/myfile
# owner: tux
# group: project3
user::rw-
group::r-x
group:mascots:r-x
mask::r--
other::---
touch uses a mode with the value 0666 when creating new files, which means
that the files are created with read and write permissions for all user classes, pro-
vided no other restrictions exist in umask or in the default ACL (see
"Effects of a Default ACL"
sions not contained in the mode value are removed from the respective ACL entries.
# effective:r--
# effective:r--
(page 101)). In effect, this means that all access permis-
Section
Access Control Lists in Linux 103