Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual page 309

default:mask::r-x
default:other::---
As expected, the newly-created subdirectory mysubdir has the permissions
from the default ACL of the parent directory. The access ACL of mysubdir
is an exact reflection of the default ACL of mydir. The default ACL that this
directory will hand down to its subordinate objects is also the same.
3. Use touch to create a file in the mydir directory, for example, touch
mydir/myfile. ls -l mydir/myfile then shows:
-rw-r-----+ ... tux project3 ... mydir/myfile
The output of getfacl mydir/myfile is:
# file: mydir/myfile
# owner: tux
# group: project3
user::rw-
group::r-x
group:mascots:r-x
mask::r--
other::---
touch uses a mode with the value 0666 when creating new files, which means
that the files are created with read and write permissions for all user classes,
provided no other restrictions exist in umask or in the default ACL (see
"Effects of a Default ACL"
missions not contained in the mode value are removed from the respective ACL
entries. Although no permissions were removed from the ACL entry of the group
class, the mask entry was modified to mask permissions not set in mode.
This approach ensures the smooth interaction of applications, such as compilers,
with ACLs. You can create files with restricted access permissions and subse-
quently mark them as executable. The mask mechanism guarantees that the
right users and groups can execute them as desired.
15.4.4 The ACL Check Algorithm
A check algorithm is applied before any process or application is granted access to an
ACL-protected file system object. As a basic rule, the ACL entries are examined in the
following sequence: owner, named user, owning group or named group, and other. The
# effective:r--
# effective:r--
(page 307)). In effect, this means that all access per-
Section
Access Control Lists in Linux 309