![[Close the Book]](/intranet/images/book_open.gif)
Every file and directory has an access control list (ACL), which describes the access allowed by a list of users and/or groups. File and directory ACLs can be viewed and modified through the Web using an access control short form or long form, or can be modified through the Unix shell using the aclmod command. After a file or directory is identified, an access control short form is displayed. Click on the black triangular button to switch to the long form (
) or short form (
):
Here is an example of a short form directory ACL followed by a directory listing:
Each row in the ACL describes the read and write access to the directory allowed by a user, group or others.
The owner implicitly retains full access. If users explicitly named in the ACL try to access the directory, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the directory, they have the collective access allowed by every group in which they are a member. If other users try to access the directory, they have the access allowed by anyone on the Internet.
Access to the directory can be modified by checking the desired access checkboxes and clicking on the upper "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the upper "Modify Access" button.
Granting read access to a directory allows reading throughout the directory, i.e., to all existing and future files and subdirectories therein. Be careful not to unintentionally grant sweeping read access to private files and directories.
Granting write access to a directory allows writing, insertion and deletion throughout the directory, i.e., to all files and subdirectores therein. Be careful not to unintentionally grant sweeping write access by untrusted users, groups or others.
Here is an example of a short form file ACL:
Each row in the ACL describes the read and write access to the file allowed by a user, group or others.
The owner implicitly retains full access. If users explicitly named in the ACL try to access the file, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the file, they have the collective access allowed by every group in which they are a member. If any other users try to access the file, they have the access allowed by anyone on the Internet.
Access to the file can be modified by checking the desired access checkboxes and clicking on the "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the "Modify Access" button.
Here is an example of a long form directory ACL followed by a directory listing:
Each row in the ACL describes the access to the directory allowed by a user or group. The first row shows the owner's username and access, the second row shows the primary group's groupname and access, the third row shows the access allowed by anyone on the Internet, and the subsequent rows show additional users' and groups' names and access.
If the owner or other users explicitly named in the ACL try to access the directory, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the directory, they have the collective access allowed by every group in which they are a member. If other users try to access the directory, they have the access allowed by anyone on the Internet.
Access to the directory can be modified by checking the desired access checkboxes and clicking on the upper "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the upper "Modify Access" button.
There are two ways to make sweeping changes to the ACLs of multiple files and directories at once when viewing a directory ACL.
If you wish to apply the access specified for the directory recursively to the directory and all files and subdirectories therein, check the "recursively" checkbox before clicking on the upper "Modify Access" button. Note that search access translates to execute access when applied to files, and insert and delete access have no relevance when applied to files.
If you wish to apply the access specified for the directory to selected files and subdirectories within the directory, check the checkboxes in the left margin next to the selected files and subdirectories, and click on the lower "Modify Access" button. If you wish to apply the access specified for the directory recursively to selected files and subdirectories and all files and subdirectories therein, check the "recursively" checkbox before clicking on the lower "Modify Access" button. Note that search access translates to execute access when applied to files, and insert and delete access have no relevance when applied to files.
Every directory has two additional ACLs--a default file ACL and default directory ACL--which determine ACLs on new files and directories created in the directory. The default file ACL can be viewed and modified by clicking on "new files in directory". The default directory ACL can be viewed and modified by clicking on "new directories in directory". Default file and directory ACLs can be modified and sweeping changes can be made at once as described above for file and directory ACLs. Careful attention to default file and directory ACLs insures that the file system grows with the desired access controls.
Here is an example of a long form file ACL:
Each row in the ACL describes the access to the file allowed by a user or group. The first row shows the owner's username and access, the second row shows the primary group's groupname and access, the third row shows the access allowed by anyone on the Internet, and the subsequent rows show additional users' and groups' names and access.
If the owner or other users explicitly named in the ACL try to access the file, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the file, they have the collective access allowed by every group in which they are a member. If any other users try to access the file, they have the access allowed by anyone on the Internet.
Access to the file can be modified by checking the desired access checkboxes and clicking on the "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the "Modify Access" button.