In the UNIX file system, every file and directory object has associated with it a set of mode bits that provide information about the object. In addition to identifying the type of the object (file or directory), the bits define the permissions granted to three types of users: the user who owns the object, members of the group that owns the object, and all other system users. These mode bits are referred to as the user, group, and other mode bits, respectively.
Each type of user (user, group, and other) can be assigned any combination of the r, w, and x permissions via the appropriate mode bits. The operations associated with the bits are similar to those associated with the same permissions for DCE ACLs. The mode bits for an object can be listed with the UNIX ls -l command or its equivalent; they can be set with the UNIX chmod command or its equivalent.
Because DCE ACLs can be used only with objects in DCE LFS filesets, mode bits are the only form of protection associated with objects in most non-LFS filesets. In DCE LFS filesets, all file and directory objects can have both UNIX mode bits and DCE ACLs. Note that all objects always have UNIX mode bits, but they do not necessarily have ACLs. (See Initial Protection of a New File or Directory for more details.)
For DCE LFS objects, DCE LFS synchronizes the protections set by an object's UNIX mode bits with the protections set by its DCE ACL. It maintains symmetry between an object's mode bits and its ACL permissions as follows:
· The user mode bits are identified with the r, w, and x permissions of the user_obj entry.
· The other mode bits are identified with the r, w, and x permissions of the other_obj entry.
· The group mode bits are identified with the r, w, and x permissions of the mask_obj entry. If the mask_obj entry does not exist (which is the case with the root directory of a newly created DCE LFS fileset, for example), the group mode bits are identified with the r, w, and x permissions of the group_obj entry. If the mode bits correspond to the mask_obj entry, they do not correspond to the group_obj entry, and vice versa.
To maintain this correspondence, when you modify an ACL _obj entry (user_obj, mask_obj or group_obj, or other_obj), DCE LFS updates the corresponding UNIX mode bits (user, group, or other) to reflect the permissions associated with the _obj entry. For example, suppose a file's ACL has the following entries:
{mask_obj r - - }
{user_obj rwxc - }
{group_obj r-x - effective r - - }
{other_obj - - - }
DCE LFS sets the corresponding UNIX mode bits for the file to make the user mode bits r, w, and x and the group mode bits r. These mode bits are displayed with the ls -l command as follows:
-rwxr - - 1 dale 3625 Nov 22 11:36 filename
Suppose you then use the dcecp acl modify command to modify the ACL to give the other_obj entry the r, w, and x permissions (leaving the other entries unchanged), as follows:
{mask_obj r - - }
{user_obj rwxc - }
{group_obj r-x - effective r - - }
{other_obj rwx - }
DCE LFS adjusts the UNIX mode bits to make the other mode bits r, w, and x in accordance with the other_obj entry. Displayed with the ls -l command, the mode bits are now as follows:
-rwxr - rwx 1 dale 3625 Nov 22 11:36 filename
Similarly, if you use the UNIX chmod command to modify the mode bits associated with an object, DCE LFS reconciles the corresponding ACL entries accordingly. Thus, DCE LFS ensures that the mode bits and ACL permissions of an object always agree.
It is worth noting that for an executable file (for example, a binary file) to be executed, the x mode bit must be assigned to one or more of user, group, or other. If one of these sets of mode bits does not include the x mode bit, no one can execute the file, not even the root user. For an executable file that has an ACL, this means that at least one of the following ACL entries must have the x permission for the file to be executed: user_obj, mask_obj (or group_obj, if the mask_obj entry does not exist on the ACL), or other_obj.