Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ acls — Apollo

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

PROTECTION SIDS

PROTECTION RIGHTS

ACLS

PROTECTED_SUBSYSTEMS

PROTECTION PROTECTED_SUBSYSTEMS

PROTECTION/ACLS -- Details about Access Control Lists (ACLs)      85/03/19


  ACCESS CONTROL LIST

  Every  object  in the system (whether directory or file) has an access control
  list (ACL) that defines WHO may access that object, and in WHAT ways.  The ACL
  is  made  up  of  a  series of entries that consist of two elements: a subject
  identifier and a set of rights.  Each entry gives one  subject  the  right  to
  perform  some operations (read, write, delete, etc) on the object that the ACL
  protects.  The entries are  automatically  arranged  in  increasing  order  of
  specificity.  That is, the ACLs for individuals appear before the ACLs for all
  users.

  SUBJECT IDENTIFIERS

  The subject identifier (SID) identifies those users to whom the specified  set
  of rights apply.  The SID is in the ppon format, i.e.:

       Person.Project.Organization.Node

       Barb.none.r_d.

  PERSON,  PROJECT,  and  ORGANIZATION  specify names that are in the associated
  network registry files.  The NODE identifier is a hexadecimal node id  number.
  You may use the wildcard, % in any one of the "ppon" fields.

  By  convention, users with the project name BACKUP may create backup copies of
  files and directories on magnetic tape.  Users with the  project  name  BACKUP
  need  read  (R)  access to files and directories.  EDACL issues a warning when
  you change an ACL in a way that denies BACKUP access.    However,  EDACL  does
  execute  the  command.    Ignore  the  warning  only if the object(s) does not
  require backup copies.  If the object(s) does require backup copies, edit  the
  ACL again and grant project BACKUP read access.

  ACCESS RIGHTS

  You may assign the following access rights to the types of objects indicated:

    Any objects:
         p        protect rights; allow rights to be changed
         g        grant rights; allow creation of new entries with a subset of
                  creator's rights
         n        change node list rights; allows CD, CN commands

    Files:
         d        delete rights; allows file to be deleted
         w        write rights; allows file to be written
         r        read rights; allows file to be read
         x        execute rights

    Directories:
         d        delete rights; allows directory to be deleted
         c        change rights; allows names to be changed, and links
                  to be deleted
         a        append rights; allows files and subdirectories to be
                  added to directory
         l        link rights; allows links to be added to directory
         r        read rights; allows directory to be listed
         s        search rights; allows directory to be searched for
                  subordinate objects (for DOMAIN/IX)
         e        expunge rights; allows subordinate objects to be
                  deleted provided delete rights are also available
                  for the subordinate object (for DOMAIN/IX)


  SPECIFYING ACCESS RIGHTS

  You  may  specify  access  rights  individually or in groups.  Table 1, below,
  defines individual access rights.  Table 2 defines the abbreviations  you  may
  use to specify commonly assigned rights in groups.

                                Table 1.
                  Access Rights for Files and Directories

   ___________________________________________________________________________
  |              |              |                   |                         |
  | Access Right | Abbreviation |    Meaning for    |      Meaning for        |
  |              |              |    Directories    |         Files           |
  |==============|==============|===================|=========================|
  |              |              |                                             |
  |  Protect     |      P       |      Change the object's ACL.               |
  |______________|______________|_____________________________________________|
  |              |              |                                             |
  |  Grant       |      G       |      Grant any subset of your rights        |
  |              |              |      to other users                         |
  |______________|______________|_____________________________________________|
  |              |              |                                             |
  |  Node        |      N       |       Change the nodes from which           |
  |              |              |       users may access the object           |
  |______________|______________|_____________________________________________|
  |              |              |                   |                         |
  |  Delete      |      D       |      Delete       |   Delete the file       |
  |              |              |   the directory   |                         |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Read        |      R       |  List entries     |  Read file contents     |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Write       |      W       |                   |  Write to the file      |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Execute     |      X       |                   |  Execute object file    |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Change      |      C       |  Change names and |                         |
  |              |              |  delete links     |                         |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Links       |      L       |  Add links        |                         |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Add         |      A       |  Add files and    |                         |
  |              |              |  subdirectories   |                         |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Search      |      S       |  Allow directory  |                         |
  |  (DOMAIN/IX) |              |  to be searched   |                         |
  |              |              |  for subordinate  |                         |
  |              |              |  objects          |                         |
  |______________|______________|___________________|_________________________|
  |              |              |                   |                         |
  |  Expunge     |      E       |  Allow subordinate|                         |
  |  (DOMAIN/IX) |              |  object(s) to be  |                         |
  |              |              |  deleted (assumes |                         |
  |              |              |  'D' rights on    |                         |
  |              |              |  the objects)     |                         |
  |______________|______________|___________________|_________________________|


    NOTE:  To delete a tree you need directory delete rights, directory change
           rights (if the directory contains links) and file delete rights
          (if the directory contains files).


                               Table 2.
                 Abbreviations for Commonly Assigned Rights

   ____________________________________________________________________
  |              |                       |               |             |
  |    Term      |      Meaning          |  Directories  |   Files     |
  |==============|=======================|===============|=============|
  |              |                       |               |             |
  |   -OWNER     |     All rights        |  PGNDCALRSE   |   PGNDWRX   |
  |______________|_______________________|_______________|_____________|
  |              |                       |               |             |
  |   -USER      |  All rights except    |  DCALRSE      |   DWRX      |
  |              | ability to change ACL |               |             |
  |______________|_______________________|_______________|_____________|
  |              |                       |               |             |
  |   -READ      |   File read access    |  not allowed  |   R         |
  |______________|_______________________|_______________|_____________|
  |              |                       |               |             |
  |   -EXEC      |  File read access     |  not allowed  |   RX        |
  |              |  Execute access to    |               |             |
  |              |   object files        |               |             |
  |______________|_______________________|_______________|_____________|
  |              |                       |               |             |
  |   -LDIR      |  List directories     |  RSE          | not allowed |
  |______________|_______________________|_______________|_____________|
  |              |                       |               |             |
  |   -ADIR      |  List directories and |  ALRSE        | not allowed |
  |              |    add entries        |               |             |
  |______________|_______________________|_______________|_____________|
  |              |                       |               |             |
  |   -NONE      | Grant no rights for   |  SE or None   |   None      |
  |              | DOMAIN operation.     |               |             |
  |              | DOMAIN/IX access is   |               |             |
  |              | still allowed unless  |               |             |
  |              | -UNIX was present on  |               |             |
  |              | the command line, in  |               |             |
  |              | which case all        |               |             |
  |              | directory rights are  |               |             |
  |              | revoked.              |               |             |
  |______________|_______________________|_______________|_____________|

  NOTES

  EDACL  will  not allow an operation that would restrict everyone from changing
  an ACL.  At least one user must have the right to change the ACL (P).

  You need N (change node) rights to change an object's node list, or  to  grant
  other users N rights.

  The -CDN and -CN commands require N (change node) rights.  When a user without
  N rights adds an entry to an ACL, that entry will always receive  the  default
  node ID (%), even if the user specifies a different node ID.

  Objects  that  are  part of protected subsystems indicate this when their ACLS
  are displayed.

  ACLS AND DIRECTORIES

  In addition to its own  ACL,  each  directory  contains  two  additional  ACLs
  (called  "initial ACLs"): one for new files and another for new subdirectories
  created within that directory.  When you create a new file  or  directory,  or
  copy one to a new location in the file hierarchy, the system assigns an ACL to
  it by copying the appropriate initial ACL  stored  in  the  parent  directory.
  When  the  newly  created object is a directory, the two initial ACLs from the
  parent are  replicated  in  the  new  subdirectory,  unless  you  specifically
  indicate  otherwise (see the CPT (COPY_TREE) command).  The various options on
  the EDACL and ACL commands determine which of  these  several  access  control
  lists you are editing, copying or displaying.


RELATED TOPICS

  More information is available.  Type:

  - HELP PROTECTION SIDS
   for more information on SIDs.

  - HELP PROTECTION RIGHTS
   for more information on access rights.

  - HELP ACLS
   for more information on the commands that manipulate ACLs.

  - HELP PROTECTED_SUBSYSTEMS
   for more information on the commands that maintain protected subsystems.

  - HELP PROTECTION PROTECTED_SUBSYSTEMS
   for a detailed description of protected subsystems.

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026