Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual page 331

default:group::r-x
default:group:mascots:r-x
default:mask::r-x
default:other::---
As expected, the newly-created subdirectory mysubdir has the permissions from
the default ACL of the parent directory. The access ACL of mysubdir is an exact
reflection of the default ACL of mydir. The default ACL that this directory will
hand down to its subordinate objects is also the same.
3. Use touch to create a file in the mydir directory, for example, touch
mydir/myfile. ls -l mydir/myfile then shows:
-rw-r-----+ ... tux project3 ... mydir/myfile
The output of getfacl mydir/myfile is:
# file: mydir/myfile
# owner: tux
# group: project3
user::rw-
group::r-x
group:mascots:r-x
mask::r--
other::---
touch uses a mode with the value 0666 when creating new files, which means
that the files are created with read and write permissions for all user classes, pro-
vided no other restrictions exist in umask or in the default ACL (see Section "Ef-
fects of a Default ACL" (page 311)). In effect, this means that all access permissions
not contained in the mode value are removed from the respective ACL entries.
Although no permissions were removed from the ACL entry of the group class,
the mask entry was modified to mask permissions not set in mode.
This approach ensures the smooth interaction of applications, such as compilers,
with ACLs. You can create files with restricted access permissions and subsequently
mark them as executable. The mask mechanism guarantees that the right users and
groups can execute them as desired.
15.4.4 The ACL Check Algorithm
A check algorithm is applied before any process or application is granted access to an
ACL-protected file system object. As a basic rule, the ACL entries are examined in the
# effective:r--
# effective:r--
Access Control Lists in Linux 313