Each DCE LFS file or directory can have an Object ACL that controls access to the file or directory; all previous examples in this topic refer to the Object ACL. Because they can contain other objects, directories (also referred to as "container objects") can have two additional ACLs that determine the default ACLs to be inherited by objects created in them. Thus, a directory can have the following three ACLs:
Object ACL
Controls access to the directory itself. By default, this is the ACL that the dcecp acl command displays or modifies when it is issued.
Initial Object Creation ACL
Determines the default ACL inherited by files created in the directory. To view or modify a directory's Initial Object Creation ACL, include the -io
option with the dcecp acl command.
Initial Container Creation ACL
Determines the default ACL inherited by subdirectories created in the directory. To view or modify a directory's Initial Container Creation ACL, include
the -ic option with the dcecp acl command.
A directory's Object ACL, Initial Object Creation ACL, and Initial Container Creation ACL can exist independently of one another; they do not need to exist at all. A given directory can have all, some, or none of these ACLs. The type of file system protection, ACLs or UNIX mode bits, initially used for a new file or directory object depends on whether the parent directory of the new object has the appropriate Initial Creation ACL, as follows:
· If a new object's parent directory has the appropriate Initial Creation ACL, the new object inherits an Object ACL as its form of protection. The new object also has mode bits, but the Object ACL supplements these bits. Recall that DCE LFS ensures that the object's mode bits and its ACL permissions are always synchronized.
· If a new object's parent directory does not have the appropriate Initial Creation ACL, the new object initially has no Object ACL; the object relies on mode bits as its only form of protection. If they are not inherited, ACLs can be explicitly created with the dcecp acl command. (See Mode Bits for New Objects That Do Not Inherit ACLs for information about using the dcecp acl command to create a directory's initial ACLs.)
Note: An Object ACL is always created for a file or directory that is created by a foreign user, even if the parent directory does not have the appropriate Initial Creation ACL. (See ACL Inheritance for Objects Created by Foreign Users and Mode Bits for New Objects That Do Not Inherit ACLs for more information.)
The following topics describe how the initial protections of a new object are derived. The first topic provides more information about an ACL's default cell, which plays an important role in determining ACL inheritance. The following topics describe ACL inheritance for objects created by local users and objects created by foreign users; both of these topics assume that the parent directory has the appropriate Initial Creation ACL. The final topic discusses how the UNIX mode bits are determined for an object whose parent directory does not have the appropriate Initial Creation ACL.
More:
The Default Cell and ACL Inheritance
ACL Inheritance for Objects Created by Local Users
ACL Inheritance for Objects Created by Foreign Users
Mode Bits for New Objects That Do Not Inherit ACLs