IBM 10 SP1 EAL4 manual ACL permissions, Relationship to file permission bits, Aclmask

5.1.5.2.3ACL permissions

An ACL entry can define separate permissions for read, write, and execute or search.

5.1.5.2.4Relationship to file permission bits

An ACL contains exactly one entry for each of the ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER types of tags, called the required ACL entries. An ACL can have between zero and a defined maximum number of entries of the ACL_GROUP and ACL_USER types. An ACL that has only the three required ACL entries is called a minimum ACL. ACLs with one or more ACL entries of the ACL_GROUP or ACL_USER types are called extended ACLs.

The standard UNIX file permission bits as described in the previous section are equivalent to the entries in the minimum ACL. The owner permission bits correspond to the entry of the ACL_USER_OBJ type. The entry of the ACL_GROUP_OBJ type represents the permission bits of the file group. The entry of the ACL_OTHER type represents the permission bits of processes running with an effective user ID and effective group ID or supplementary group ID different from those defined in ACL_USER_OBJ and ACL_GROUP_OBJ entries.

Minimum ACLs do not need to be stored on disk. The permission information contained in the inode is sufficient for the access check. When adding ACL entries to a file system object that did not previously have an explicit ACL, the kernel creates a minimum ACL based on the inode attributes, and then adds the new entries to that.

5.1.5.2.5ACL_MASK

If an ACL contains an ACL_GROUP or ACL_USER type of entry, then exactly one entry of the ACL_MASK type is required in the ACL. Otherwise, the ACL_MASK type of entry is optional.

5.1.5.2.6Default ACLs and ACL inheritance

A default ACL is an additional ACL, which can be associated with a directory. This default ACL has no effect on the access to this directory. Instead, the default ACL is used to initialize the ACL for any file that is created in this directory. When an object is created within a directory, and the ACL is not defined with the function creating the object, the new object inherits the default ACL of its parent directory as its initial ACL. This is implemented by ext3_create(), which invokes ext3_new_inode(), which in turn invokes ext3_init_acl() to set the initial ACL.

5.1.5.2.7ACL representations and interfaces

ACLs are represented in the kernel as extended attributes. The kernel provides system calls such as getxattr(), setxattr(), listxattr(), and removexattr() to create and manipulate extended attributes. User space applications can use these system calls to create and maintain ACLs and other extended attributes. However, ACL applications, instead of directly calling system calls, use library functions provided by the POSIX 1003.1e compliant libacl.so. Inside the kernel, the system calls are implemented using the getxattr, setxattr, listxattr, and removexattr inode operations. The kernel provides two additional inode operations, get_posix_acl() and set_posix_acl(), to allow other parts of the kernel to manipulate ACLs in an internal format that is more efficient to handle than the format used by the inode xattr operations.

In the ext3 disk-based file system, extended attributes are stored in a block of data accessible through the i_file_acl field of the inode. This extended attribute block stores name-value pairs for all extended attributes associated with the inode. These attributes are retrieved and used by appropriate access control functions.

49