In the discussion of ACLs so far, we have been describing access ACLs. As its name implies, an access ACL is used in determining the permissions that a process has when accessing the file associated with the ACL. We can create a second type of ACL on directories: a default ACL.
A default ACL plays no part in determining the permissions granted when accessing the directory. Instead, its presence or absence determines the ACL(s) and permissions that are placed on files and subdirectories that are created in the directory. (A default ACL is stored as an extended attribute named system.posix_acl_default.)
To view and set the default ACL of a directory, we use the -d option of the getfacl and setfacl commands.
$ mkdir sub$ setfacl -d -m u::rwx,u:paulh:rx,g::rx,g:teach:rwx,o::- sub$ getfacl -d --omit-header subuser::rwx user:paulh:r-x group::r-x group:teach:rwx mask::rwx setfacl generated ACL_MASK entry automatically other::---
We can remove a default ACL from a directory using the setfacl -k option.
If a directory has a default ACL, then:
A new subdirectory created in this directory inherits the directory’s default ACL as its default ACL. In other words, default ACLs propagate down through a directory tree as new subdirectories are created.
A new file or subdirectory created in this directory inherits the directory’s default ACL as its access ACL. The ACL entries that correspond to the traditional file permission bits are masked (ANDed) against the corresponding bits of the mode argument in the system call (open(), mkdir(), and so on) used to create the file or subdirectory. By “corresponding ACL entries,” we mean:
ACL_USER_OBJ;
ACL_MASK or, if ACL_MASK is absent, then ACL_GROUP_OBJ; and
ACL_OTHER.
When a directory has a default ACL, the process umask (The Process File Mode Creation Mask: umask()) doesn’t play a part in determining the permissions in the entries of the access ACL of a new file created in that directory.
As an example of how a new file inherits its access ACL from the parent directory’s default ACL, suppose we used the following open() call to create a new file in the directory created above:
open("sub/tfile", O_RDWR | O_CREAT,
S_IRWXU | S_IXGRP | S_IXOTH); /* rwx--x--x */The new file would have the following access ACL:
$ getfacl --omit-header sub/tfile
user::rwx
user:paulh:r-x #effective:--x
group::r-x #effective:--x
group:teach:rwx #effective:--x
mask::--x
other::---If a directory doesn’t have a default ACL, then:
New subdirectories created in this directory also do not have a default ACL.
The permissions of the new file or directory are set following the traditional rules (The Process File Mode Creation Mask: umask()): the file permissions are set to the value in the mode argument (given to open(), mkdir(), and so on), less the bits that are turned off by the process umask. This results in a minimal ACL on the new file.