• Computing Resources
  • News
  • New Users
  • Policies
  • Sesfs File Server
  • Web Server
  • Computer Labs
  • CEES Computational Clusters
  • Get Help
  • Net Connections
  • Your Macintosh
  • Your Windows PC
  • Your Unix/Linux System
  • Other School Resources
  • Using Unix
    • Overview
    • Documentation
    • Using the Shell
    • Using X-Windows
    • File Manipulation
    • Net Commands
    • Editing Text
    • Formatting Text
    • Printing
    • Filters & Utilities
    • Programming

Access control lists

Last revision August 3, 2004

Traditional Unix file access controls are based on the simple division shown above between the file's owner, the associated group, and the rest of the world.

Many modern Unix file systems contain a more flexible permission scheme called an access control list or ACL. In this scheme, specific permissions may be granted to specific accounts, rather than just to groups. In addition, default permissions may be assigned to directories that are inherited by all files created in that directory.

The AFS distributed file system used by the campus-wide leland systems here at Stanford uses such an access control list. Pangea also has access control lists available for all files on its disks. They are set or cleared with the setacl command and viewed with the getacl command. ACL settings are not shown by the normal ls command.

On pangea, there are three types of ACLs that can be set with the setacl command:

1. An access ACL is set for individual files or directories and applies only to that file or directory.
2. A default directory ACL is set for a directory, and applies as the access ACL for any subdirectory created therein. It also becomes the default directory ACL for that subdirectory. In other words, default directory ACLs are used to set inheritable permissions for all the subdirectories in a directory tree.
3. A default access ACL is set for a directory, and applies as the access ACL for any file created (linked) into that directory. In addition, if there is no default directory ACL set, the default access ACL is also applied to any subdirectories created within the directory. In any case, the default access ACL is inherited by any subdirectory created. In other words, default access ACLs are used to set inheritable permissions for all files created within a directory tree and for all subdirectories, unless separate inheritable permissions for subdirectories are set with a default directory ACL.

Please see the on-line manual entries on pangea for setacl and getacl to learn how to use them.