There are three kinds of ACLs:
- Access ACLs are ACLs that are used to provide protection
for a file system object.
- File default ACLs are default ACLs that are inherited by
files created within the parent directory. The file inherits the default
ACL as its access ACL. Directories also inherit the file default ACL
as their file default ACL.
- Directory default ACLs are default ACLs that are inherited
by subdirectories created within the parent directory. The directory
inherits the default ACL as its directory default ACL and as its access
ACL.
Inheritance is the act of automatically associating an ACL
with a newly created object. Administrative action is not needed.
See Working with default ACLs for more information.
There are two kinds of ACL entries:
- Base ACL entries are the same as permission bits (owner,
group, other). You can change the permissions using chmod or setfacl.
They are not physically part of the ACL although you can use setfacl to
change them and getfacl to display them.
- Extended ACL entries are ACL entries for individual users
or groups; like the permission bits, they are stored with the file,
not in RACF® profiles. Each
ACL type (access, file default, directory default) can contain up
to 1024 extended ACL entries. Each extended ACL entry specifies a
qualifier to indicate whether the entry pertains to a user or a group,
the actual UID or GID itself, and the permissions being granted or
denied by this entry. The allowable permissions are read, write, and
execute. As with other UNIX commands, setfacl allows
the use of either names or numbers when referring to users and groups.