Rules for Modifying ACLs

· The user_obj, group_obj, and other_obj entries must always exist. All other entry types are always optional.

· The mask_obj entry must exist if an entry other than user_obj, group_obj, or other_obj exists. If the mask_obj entry does not already exist when an entry other than an _obj entry is created, the dcecp acl command automatically creates it.

· The user_obj entry must always explicitly retain the c permission. This requirement prevents the owner of an object from being denied access to it; the owner can always grant himself or herself additional permissions.

These rules restrict your use of the dcecp acl command. Namely, if a single dcecp acl modify command modifies an ACL in a way that violates any of these restrictions, the command must include additional changes that reinstate the necessary entries or permissions. A single instance of the dcecp acl modify command cannot be used to effect a set of changes that violates these restrictions. The dcecp acl delete and dcecp acl replace commands can also never be used to violate these restrictions. The dcecp acl command makes changes to an ACL in the order in which the changes are specified on the command line; for a given dcecp acl command and a given ACL, either all of the changes indicated by the command are applied or none of the changes are applied.

Finally, recall that only one entry of the same specificity can exist on an ACL; for example, only one user entry can exist for a given username. Permissions you assign to an entry when you issue the dcecp acl modify command with the -change option replace the existing permissions associated with the entry; the specified permissions are not added to the existing permissions. If you want a user or group to retain the permissions already granted, you must include those permissions with the entry that you specify with the command. (Note that a dcecp acl modify command that includes the -add option fails if the entry to be added already exists on the ACL.)