PROTECTION/RIGHTS Aegis PROTECTION/RIGHTS
NAME
protection/rights - Access Rights to Objects
DESCRIPTION
The following are the basic kinds of operations that can be performed on
objects, and the rights which allow them when present in an ACL entry.
for all objects:
p protect rights; allows rights to be changed.
for files:
w write rights; allows file to be written.
r read rights; allows file to be read.
x execute rights: allows file to be executed.
k keep rights; prevents an object from being
deleted or from having its name changed.
for directories:
w write rights; allows names to be added,
changed or deleted.
r read rights; allows directory to be listed.
s search rights; allows directory to be
searched for subordinate objects.
x execute rights (synonym for search rights).
k keep rights; prevents an object from being
deleted or from having its name changed.
for initial file/initial directory ACLs:
i inherit rights. The SID portion of a required entry is inherited
from the creating process. This would normally only be used if someone
needs to inherit the SID portion and does not wish to inherit rights from
the current process (see -inh_all).
The following abbreviations exist for sets of rights:
-owner gives all rights.
for files, it means: pwrx
for directories: pwrx
-user gives all rights except ability to change ACL.
for files, it means: wrx
for directories: wrx
-read for files, allows reading; can't change ACL.
precisely, it means: r
-exec for files, allows reading, execution; can't
change ACL.
precisely, it means: rx
-ldir for directories, allows listing; can't change ACL.
precisely, it means: rx
-adir for directories, allows adding names and
links, and listing; can't change ACL.
precisely, it means: wrx
-none gives no rights, for files or directories.
Used to explicitly deny rights to specific
SIDs that would otherwise be granted rights
because they are members of a project or
organization.
Delete and rename rights come from directories.
This means that if you set -none rights on
a file, but do not set the same rights for
the directory that contains the file, your
file is NOT protected from being deleted.
You must set 'k' (keep) rights to protect
a file in a non-protected directory.
-ignore for required entries: is used to specify
that the required entry for an object is
not to be used in rights checking.
-inh_rights for directory initial ACLs: specifies rights
are to be inherited from the current process.
-inh_all for directory initial ACLs: specifies both
rights and pgo information is to be inherited
from the current process.
SEE ALSO
More information is available. Type:
help acls for more information on commands which
manipulate access control lists (ACLs).
help protection for more information on protection in general.
protection acls for detailed information on ACLs.