Directory ACEs Example

Provides instructions on how to set ACEs for directories.

For example, suppose the following (command-line) sequence of directory ACE settings for user u2:



As shown in the illustration above, in:

Step 1:

User u2 is granted access to read directory, sampleDir, and all other directory/file ACEs are not specified.

After the command runs, user u2 has permissions to list the contents of the directory and the POSIX mode bits for listing the contents of the directory (r) is set to u2 for owner/users.

There is no change in ACEs or POSIX mode bits for all other (file- and directory-level) access types.

Step 2:

User u2 is granted permission to add and delete child directories and all other directory/file ACEs are not specified.

After the command runs, user u2 has permissions to create and delete child directories and the POSIX mode bit for writing (w) to the directory for owner/user is set to u2 because user u2 is granted access for both (addchild and deletechild) access types.

If user u2 creates child directories, the child directories, by default, will inherit the ACE settings of the parent directory.

There is no change in ACEs or POSIX mode bits for all other (file- and directory-level) access types.

Step 3:

User u2’s permissions are modified to grant access to read and write to files in the directory, user u2's permissions for adding and deleting child directories are removed (using the negation operator), and all other directory/file ACEs are not specified.

After the command runs, user u2 can read and write to files in the directory, but user u2 can no longer add and delete child directories. The POSIX mode bits for directory write access (w) is set to 0 for owner/user.

Although, at the directory level, user u2 has permissions to read and write to files in the directory, for existing files, the file level ACEs or the POSIX mode bits for the file will be used to determine access. However, by default, user u2 will get read and write permissions to all new files created under the directory. If user u2 creates new files under the directory, the files will inherit the file ACEs from the parent directory by default and the POSIX mode bits for read (r) and write (w) access will be set to u2 for owner/user.

There is no change in ACEs or POSIX mode bits for all other (lookupdir and executefile) access types.