Suggested Initial ACLs for a New Fileset

The owner of a fileset's root directory is initially set to root. A cell administrator must use the UNIX chown command or its equivalent to make the user who is to own the fileset the owner of the directory, thus granting that individual the c permission associated with the user_obj entry. A cell administrator should also use the UNIX chgrp command or its equivalent to change the owning group, as required.

Cell administrators may want to establish the convention of explicitly granting the owner of a new fileset all permissions on the fileset's root directory. In addition, they may want to limit the permissions initially granted by the group_obj and other_obj entries, changing these entries to grant only the r and x permissions. This allows all users from the local cell to list the contents of the directory and view the ACLs of the objects it contains, but little else.

The following example ACL provides the owner (pierette) of the root directory of a new fileset all permissions, granting all other users from the local cell just the r and x permissions:

dcecp> acl show /.../abc.com/fs/usr/pierette

{user_obj rwxcid}

{group_obj r-x - }

{other_obj r-x - }

Cell administrators should also apply these suggestions to the root directory's Initial Object Creation and Initial Container Creation ACLs. Because they are meaningless with respect to files, the i and d permissions do not need to be granted to the user_obj entry on the directory's Initial Object Creation ACL.

Recall that a user must have the x permission on each directory that leads to an object to access the object. Therefore, cell administrators should grant the x permission to the group_obj and other_obj entries on all directories that lead to common binary files. They should also grant the x permission to these entries on all directories that lead to the root directories of user filesets.