File ACE Example

Illustrates setting access control expressions for files.

Suppose the following sequence of file Access Control Expression (ACE) settings and corresponding POSIX mode bits are set for user u1.



As shown in the preceding illustration, in:

Step 1:

User u1 is granted permissions to read a file, sampleFile.

After the command runs, user u1 has permissions to (only) read the file. The POSIX mode bit for reading the file is set to u1 for owner/users.

There is no change in ACEs or POSIX mode bits for all other (write and execute) access types.

Step 2:

User u1 is granted permissions to write to the same file.

After the command runs, user u1 has permissions to write to the file. The POSIX mode bit for writing to the file is set to u1 for owner/users.

There is no change in ACEs or POSIX mode bits for all other (read and execute) access types.

Step 3:

User u1’s permissions are modified to remove write permission (using the empty string) and to grant access to execute file.

After the command runs, user u1 has permissions to execute the file, but user u1 can no longer write to the file. The POSIX mode bit for:
  • Writing to the file is set to 0 for owner/users, groups, and others.
  • Executing the file is set to u1 for owner/users.
NOTE
When the empty string ("") is used to deny a specific type of file access, that type of file access is denied to all users, groups, and roles. To deny access to specific users only, use the negation operator (!).

There is no change in ACEs or POSIX mode bits for all other (read) access types.