The standard UNIX file system permissions are now simply called trivial-ACLs.
For plenty of information on ACLs, refer to acl(5).
Each ACL has many ordered allowing and/or denying ACEs combining the following permission and inheritance flags associated to a certain account.
The following is a list of just the permission flags:
(theoretically the most difficult part of an ACL)
flag file directory (not its contents)
w write_data add_file (+modify, +delete)
x execute execute (=search, =enter)
p append_data add_subdirectory
D delete_child
d delete delete
a read_attributes (ls -l)
A write_attributes
R read_xattr
W write_xattr
c read_acl
C write_acl
o write_owner
s synchronize (not supported)
At least in Solaris, the compact form of an ACE comprises 4 parts delimited by colons and which are displayed with the -V option of ls(1). As a minimal example, the following ACL has just a single ACE:
prime@box-01:/export/project# ll -V Europe/Memo-01.txt
-rwx------+ 1 prime staff ... Europe/Memo-01.txt
user:prime:rwxpdDaARWcCos:-------:allow
Briefly, these 4 parts are:
- The account (sometimes called principal or identity).
It can be one of the following:
- owner@ - for the Current Owner (prime)
- group@ - for the Current Group (staff)
- everyone@ - for the rest of the world
- user:<account> - for any other user account
- group:<account> - for any other group account
- The permission flags already described.
- The inheritance flags:
(it's advisable not to mix f and d on a single ACE)
(only the last 2 seem more reasonable applicable to files)
f-i---- - Only applies to new files
f--n--- - Also inherit just one level down to new files
-d----- - Also inherit to new subdirectories
-di---- - Only applies to new subdirectories
-d-n--- - Also inherit just one level down to new subdirectories
------- - No inheritance; all permissions are local only
------I - The permissions have been inherited
- The type of the ACE.
Solaris 11.3 supports just 2 types: allow or deny.
The deny type supports reasoning in terms of complements.
(for instance: No Access could be thought as deny Full Control)
The n flag in the inheritance flags (part 3 above) is a kind of general idiom when some sort of inheritance or hierarchy is involved. It's sort of a practical way of referring to the immediate (first generation) children of a parent.As seen above, more options were added to the ls (the v|V options) and chmod (the A option) commands in order to allow managing these extended permissions. In addition, zfs(1M) properties (such as aclmode / aclinherit) affects the overall behavior as well.
To help start understanding the big picture of these complex extended permissions, it can be useful take a look at how are they generally gathered together in permissions sets as well as a few examples.
As extension to the topic in may be interesting to find out about mapping NFSv4 permissions to Windows environments or more generally to any platform that talks the SMB/CIFS protocol where permissions have to be dealt with.