ACLs are manipulated using extensions to the symbolic mode grammar. Each file has one ACL, containing an ordered list of entries. Each entry refers to a user or group, and grants or denies a set of permissions. In cases where a user and a group exist with the same name, the user/group name can be prefixed with user: or group: in order to specify the type of name.
The following permissions are applicable to all filesystem objects: delete Delete the item. Deletion may be granted by either this permission on an object or the delete_child right on the containing directory.
readattr
Read an objects basic attributes. This is implicitly granted if the object can be looked up and not explicitly denied.
writeattr
Write an objects basic attributes. readextattr
Read extended attributes.
writeextattr
Write extended attributes.
readsecurity
Read an objects extended security information (ACL). writesecurity
Write an objects security information (ownership, mode, ACL).
chown
Change an objects ownership.
The following permissions are applicable to directories:
list
List entries. search Look up files by name. add_file Add a file. add_subdirectory Add a subdirectory. delete_child Delete a contained object. See the file delete permission above.
The following permissions are applicable to non-directory filesystem objects:
read
Open for reading.
write
Open for writing. append Open for writing, but in a fashion that only allows writes into areas of the file not previously written. execute Execute the file as a script or program.
ACL inheritance is controlled with the following permissions words, which may only be applied to directories:
file_inherit
Inherit to files.
directory_inherit
Inherit to directories.
limit_inherit
This flag is only relevant to entries inherited by subdirectories; it causes the directory_inherit flag to be cleared in the entry that is inherited, preventing further nested subdirectories from also inheriting the entry. only_inherit
The entry is inherited by created items but not considered when processing the ACL.
The ACL manipulation options are as follows:
+a
The +a mode parses a new ACL entry from the next argument on the commandline and inserts it into the canonical location in the ACL. If the supplied entry refers to an identity already listed, the two entries are combined.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 # chmod +a admin allow write file1 # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: admin allow write
# chmod +a guest deny read file1 # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: admin allow write
# chmod +a admin allow delete file1 # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: admin allow write,delete
The +a mode strives to maintain correct canonical form for the ACL.
local deny
local allow
inherited deny
inherited allow
By default, chmod adds entries to the top of the local deny and local allow lists. Inherited entries are added by using the +ai mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete 4: admin inherited allow delete 5: backup inherited deny read
6: admin inherited allow write-security # chmod +ai others allow read file1 # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete 4: others inherited allow read 5: admin inherited allow delete 6: backup inherited deny read
7: admin inherited allow write-security
+a#
When a specific ordering is required, the exact location at which an entry will be inserted is specified with the +a# mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 others deny read file1 # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: others deny read
3: admin allow write
The +ai# mode may be used to insert inherited entries at a specific location. Note that these modes allow non-canonical ACL ordering to be constructed.
-a
The -a mode is used to delete ACL entries. All entries exactly matching the supplied entry will be deleted. If the entry lists a subset of rights granted by an entry, only the rights listed are removed. Entries may also be deleted by index using the -a# mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: admin allow write,delete
# chmod -a admin allow write file1 # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: admin allow delete
Inheritance is not considered when processing the -a mode; rights and entries will be removed regardless of their inherited state.
=a#
Individual entries are rewritten using the =a# mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: admin allow delete
# chmod =a# 1 admin allow write,chown" # ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1 owner: juser
1: admin allow write,chown
This mode may not be used to add new entries.
-E
Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines. If the information parses correctly, the existing information is replaced.
-C
Returns false if any of the named files have ACLs in non-canonical order.
-i
Removes the inherited bit from all entries in the named file(s) ACLs.
-I
Removes all inherited entries from the named file(s) ACL(s).
-N
Removes the ACL from the named file(s).
