z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Working with default ACLs

z/OS UNIX System Services Planning
GA32-0884-00

To facilitate management of ACLs, you can define a default ACL in a directory; it will then be automatically inherited by an object.
  • The file default ACL is copied to a newly created file as its access ACL. It is also copied to a newly created subdirectory as its file default ACL.
  • The directory default ACL is copied to a newly created subdirectory as both its access ACL and directory default ACL. You can modify or delete inherited ACLs later.

Default ACLs have the same format as access ACLs.

Examples: Following are examples of working with default ACLS:
  1. Define a directory default ACL for the directory named /u/ProjectX. 
    setfacl -m default:group:admins:r-x,default:group:dirgrp:rwx /u/ProjectX
    The entries contain an extra qualifier to designate the directory default ACL. The groups named admins and dirgrp will automatically get access to any new subdirectories created within /u/ProjectX. Creating a default ACL will not grant access to directories that already exist.
  2. Display the directory default ACL created in Step 1.
    getfacl -d  /u/ProjectX
#file:  /u/ProjectX 
#owner: TCPAUTO         
#group: SYS1             
default:group:ADMINS:r-x   
default:group:DIRGRP:rwx
    The -d option says to display only the extended ACL entries in the directory default ACL.
  3. Define a file default ACL for the directory named /u/ProjectX, and all of its subdirectories.
    setfacl -m fdefault:group:admins:r--, \
    fdefault:group:dirgrp:rw- $(find /u/ProjectX -type d)
    The extra entry qualifier in this case designates the file default ACL. The groups named admins and dirgrp will automatically get access to any new files created within the /u/ProjectX subtree. Creating a default ACL will not grant access to files that already exist.
  4. Display the contents of all of the ACL types for the directory named /u/ProjectX.
    getfacl -adf  /u/ProjectX
#file:  /u/ProjectX
#owner: TCPAUTO           
#group: SYS1               
user::rwx                 
group::r-x                
other::r-x                
user:JOE:--x              
fdefault:group:ADMINS:r--    
fdefault:group:DIRGRP:rwx    
default:group:ADMINS:r-x     
default:group:DIRGRP:rwx
    This example requests the access ACL (the a option), the directory default ACL (the d option), and the file default ACL (the f option). The base permission bits are displayed when the a option is specified (or defaulted).

Guideline: Analyze your file system space utilization before implementing default ACLs in your file system. If you use both file and directory default ACLs in every directory in the file system, a separate physical ACL is created for every new file and directory. Using an access ACL for every directory will probably not cause concerns about space utilization. However, the same cannot be said of files, especially if the inherited ACLs are large.

Tip: ACLs are not inherited across mount points. Suppose that you have a default ACL defined on the directory /dir1/dir2. You decide to create another directory, /dir1/dir2/dir3, and use it as a mount point on which to mount another file system. However, if you do so, the root directory of the mounted file system will not inherit the default ACL which had been established at /dir1/dir2. If you want the default ACLs of dir2 to apply to dir3, you must copy them to dir3 after dir3 has been mounted.

Parent topic: Managing ACLs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014