The Solaris ACL Mask

Etc

The ACL mask can be viewed as an extension of the concept of Unix umask to regular file operations (umask works only during the creation of the file). It defines the maximum permissions allowed for users/groups that were granted the access rights to the file via ACL mechanism. ACL mask does not influence regular permissions for owner and world (others) in any way, but it does influence regular group permissions.

File can have no ACLs. In this case it is assumed that the file has so called "trivial ACL" that consists just of ACL mask. The latter always equals to group permissions and does not affect access in any way. Each time you change group permissions for certain file or directory with no ACL (trivial ACL in our jargon), ACL mask will change in sync as if it is an alias for the group permissions.

If ACL mask in "non-trivial" (specifically set for a particular user of group), then not granted permissions, but the effective permission will determine the level of access to the file for a particular user or group (unless the user is the owner or does not belong to any groups or users there were granted access to the file -- belongs to the worlds).

Effective permission are calculated as the intersection (bitwise AND) of the granted permissions and the ACL mask field. That can help to limit potential abuse of ACLs, as ACL are badly understood by most administrators and thus can be used for subverting the access permissions.

That also permit files that have special properties for all users excluding root, for example, ACL permits creation of "read-only" files. If the mask is defined as r--, then even if a group or a user was granted permissions set that exceed the mask, the mask limits their access to just read permissions.

As we already mentioned, the result of intersection of the mask and the user permissions is shown by the getfacl commnad is know as thee effective permission set. The effective set of permission is computed separately for each user/group which was granted the access to file via ACLs. So there are as many effective permissions as there are additional users and group that were granted permissions to the file via ACL plus one (regular group is also affected).

The ACL mask value globally limits the effective permissions for every custom ACL entry on a particular file or directory. There are no effective permissions listed for a file’s owner or ”other“ users. However, the file’s group and any other specific users or groups present in the ACL list have effective permissions. When no ACL mask is specifically set on a file or directory, the ACL mask assigned is equal to the group permissions for that file or directory.

Notes:

If the file has trivial ACL then ACL mask equals to group permissions (default ACL mask)
The ACL mask is not directly related to the shell’s umask value in any way. The umask value globally controls the initial permissions that are set for files or directories that are created. umask does not control access to files/directories in any way.

Views ACL permissions can be done using the getfacl utility. There are several options:

-a Displays the file name, file owner, file group, and ACL entries for the specified file or directory
-d Displays the file name, file owner, file group, and default ACL entries for the specified directory

The following examples show the output of the getfacl command:

# file: file_with_ACL
# owner: root
# group: other
user::rw-
user:joeuser:rwx #effective:rwx
group::r-- #effective:r--
group:joeuser:rwx #effective:rwx
mask:rwx
other:r--

If we change the mask with

setfacl -m mask:r--

we will get

# file: file_with_ACL
# owner: root
# group: other
user::rw-
user:joeuser:rwx #effective:r--
group::r-- #effective:r--
group:joeuser:rwx #effective:r--
mask:r--
other:r--

If file has no ACL it is still displayed by getfacl command as having "trivial" ACL:

# file: file_without_ACLs
# owner: root
# group: other
user::rw-
group::r-- #effective:r--
mask:r--
other:r--

As you can see ACL mask is equal group access permissions (both have value r-- )

To remove ACLs from any fle with non-trivial ACL you can use setfacl -d command.

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 28, 2008