Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    Copyright
    Praise for The Linux Programming Interface
    Dedication
    Preface
    Ch. 1. History and Standards
    Ch. 2. Fundamental Concepts
    Ch. 3. System Programming Concepts
    Ch. 4. File I/O: The Universal I/O Model
    Ch. 5. File I/O: Further Details
    Ch. 6. Processes
    Ch. 7. Memory Allocation
    Ch. 8. Users and Groups
    Ch. 9. Process Credentials
    Ch. 10. Time
    Ch. 11. System Limits and Options
    Ch. 12. System and Process Information
    Ch. 13. File I/O Buffering
    Ch. 14. File Systems
    Ch. 15. File Attributes
    Ch. 16. Extended Attributes
    Ch. 17. Access Control Lists
    Overview
    ACL Permission-Checking Algorithm
    Long and Short Text Forms for ACLs
    The ACL_MASK Entry and the ACL Group Class
    The getfacl and setfacl Commands
    Default ACLs and File Creation
    ACL Implementation Limits
    The ACL API
    Summary
    Exercise
    Ch. 18. Directories and Links
    Ch. 19. Monitoring File Events
    Ch. 20. Signals: Fundamental Concepts
    Ch. 21. Signals: Signal Handlers
    Ch. 22. Signals: Advanced Features
    Ch. 23. Timers and Sleeping
    Ch. 24. Process Creation
    Ch. 25. Process Termination
    Ch. 26. Monitoring Child Processes
    Ch. 27. Program Execution
    Ch. 28. Process Creation and Program Execution in More Detail
    Ch. 29. Threads: Introduction
    Ch. 30. Threads: Thread Synchronization
    Ch. 31. Threads: Thread Safety and Per-Thread Storage
    Ch. 32. Threads: Thread Cancellation
    Ch. 33. Threads: Further Details
    Ch. 34. Process Groups, Sessions, and Job Control
    Ch. 35. Process Priorities and Scheduling
    Ch. 36. Process Resources
    Ch. 37. Daemons
    Ch. 38. Writing Secure Privileged Programs
    Ch. 39. Capabilities
    Ch. 40. Login Accounting
    Ch. 41. Fundamentals of Shared Libraries
    Ch. 42. Advanced Features of Shared Libraries
    Ch. 43. Interprocess Communication Overview
    Ch. 44. Pipes and FIFOs
    Ch. 45. Introduction to System V IPC
    Ch. 46. System V Message Queues
    Ch. 47. System V Semaphores
    Ch. 48. System V Shared Memory
    Ch. 49. Memory Mappings
    Ch. 50. Virtual Memory Operations
    Ch. 51. Introduction to POSIX IPC
    Ch. 52. POSIX Message Queues
    Ch. 53. POSIX Semaphores
    Ch. 54. POSIX Shared Memory
    Ch. 55. File Locking
    Ch. 56. Sockets: Introduction
    Ch. 57. Sockets: UNIX Domain
    Ch. 58. Sockets: Fundamentals of TCP/IP Networks
    Ch. 59. Sockets: Internet Domains
    Ch. 60. Sockets: Server Design
    Ch. 61. Sockets: Advanced Topics
    Ch. 62. Terminals
    Ch. 63. Alternative I/O Models
    Ch. 64. Pseudoterminals
    Appx. A. Tracing System Calls
    Appx. B. Parsing Command-Line Options
    Appx. C. Casting the NULL Pointer
    Appx. D. Kernel Configuration
    Appx. E. Further Sources of Information
    Appx. F. Solutions to Selected Exercises
    Bibliography
    Appx. G. Updates
    Colophon
    Index
    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 17. Access Control Lists > ACL Permission-Checking Algorithm

    17.2. ACL Permission-Checking Algorithm

    Permission checking on a file that has an ACL is performed in the same circumstances as for the traditional file permissions model (Section 15.4.3). Checks are performed in the following order, until one of the criteria is matched:

    1. If the process is privileged, all access is granted. There is one exception to this statement, analogous to the traditional permissions model described in Section 15.4.3. When executing a file, a privileged process is granted execute permission only if that permission is granted via at least one of the ACL entries on the file.

    2. If the effective user ID of the process matches the owner (user ID) of the file, then the process is granted the permissions specified in the ACL_USER_OBJ entry. (To be strictly accurate, on Linux, it is the process’s file-system IDs, rather than its effective IDs, that are used for the checks described in this section, as described in Section 9.5.)

    3. If the effective user ID of the process matches the tag qualifier in one of the ACL_USER entries, then the process is granted the permissions specified in that entry, masked (ANDed) against the value of the ACL_MASK entry.

    4. If one of the process’s group IDs (i.e., the effective group ID or any of the supplementary group IDs) matches the file group (this corresponds to the ACL_GROUP_OBJ entry) or the tag qualifier of any of the ACL_GROUP entries, then access is determined by checking each of the following, until a match is found:

      1. If one of the process’s group IDs matches the file group, and the ACL_GROUP_OBJ entry grants the requested permissions, then this entry determines the access granted to the file. The granted access is restricted by masking (ANDing) against the value in the ACL_MASK entry, if present.

      2. If one of the process’s group IDs matches the tag qualifier in an ACL_GROUP entry for the file, and that entry grants the requested permissions, then this entry determines the permissions granted. The granted access is restricted by masking (ANDing) against the value in the ACL_MASK entry.

      3. Otherwise, access is denied.

    5. Otherwise, the process is granted the permissions specified in the ACL_OTHER entry.


      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial