What is the exact purpose of `mask` in file system ACL?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
When I apply default ACL in a directory I see default:mask
or just mask
in the following two scenario.
Scenario 1
-bash-4.2$ ls -ld test/
drwxr-x---. 2 test test 4096 Oct 15 19:12 test/
-bash-4.2$ setfacl -d -m u:arif:rwx test/
-bash-4.2$ getfacl --omit-header test
user::rwx
group::r-x
other::---
default:user::rwx
default:user:arif:rwx
default:group::r-x
default:mask::rwx
default:other::---
Scenario 2
-bash-4.2$ ls -dl dir/
drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/
-bash-4.2$ getfacl dir
# file: dir
# owner: test
# group: test
user::rwx
group::r-x
other::---
-bash-4.2$ setfacl -m user:arif:rwx dir
-bash-4.2$ getfacl --omit-header dir
user::rwx
user:arif:rwx
group::r-x
mask::rwx
other::---
So what is the purpose of mask
here?
linux permissions acl umask
add a comment |Â
up vote
1
down vote
favorite
When I apply default ACL in a directory I see default:mask
or just mask
in the following two scenario.
Scenario 1
-bash-4.2$ ls -ld test/
drwxr-x---. 2 test test 4096 Oct 15 19:12 test/
-bash-4.2$ setfacl -d -m u:arif:rwx test/
-bash-4.2$ getfacl --omit-header test
user::rwx
group::r-x
other::---
default:user::rwx
default:user:arif:rwx
default:group::r-x
default:mask::rwx
default:other::---
Scenario 2
-bash-4.2$ ls -dl dir/
drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/
-bash-4.2$ getfacl dir
# file: dir
# owner: test
# group: test
user::rwx
group::r-x
other::---
-bash-4.2$ setfacl -m user:arif:rwx dir
-bash-4.2$ getfacl --omit-header dir
user::rwx
user:arif:rwx
group::r-x
mask::rwx
other::---
So what is the purpose of mask
here?
linux permissions acl umask
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
When I apply default ACL in a directory I see default:mask
or just mask
in the following two scenario.
Scenario 1
-bash-4.2$ ls -ld test/
drwxr-x---. 2 test test 4096 Oct 15 19:12 test/
-bash-4.2$ setfacl -d -m u:arif:rwx test/
-bash-4.2$ getfacl --omit-header test
user::rwx
group::r-x
other::---
default:user::rwx
default:user:arif:rwx
default:group::r-x
default:mask::rwx
default:other::---
Scenario 2
-bash-4.2$ ls -dl dir/
drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/
-bash-4.2$ getfacl dir
# file: dir
# owner: test
# group: test
user::rwx
group::r-x
other::---
-bash-4.2$ setfacl -m user:arif:rwx dir
-bash-4.2$ getfacl --omit-header dir
user::rwx
user:arif:rwx
group::r-x
mask::rwx
other::---
So what is the purpose of mask
here?
linux permissions acl umask
When I apply default ACL in a directory I see default:mask
or just mask
in the following two scenario.
Scenario 1
-bash-4.2$ ls -ld test/
drwxr-x---. 2 test test 4096 Oct 15 19:12 test/
-bash-4.2$ setfacl -d -m u:arif:rwx test/
-bash-4.2$ getfacl --omit-header test
user::rwx
group::r-x
other::---
default:user::rwx
default:user:arif:rwx
default:group::r-x
default:mask::rwx
default:other::---
Scenario 2
-bash-4.2$ ls -dl dir/
drwxr-x---. 2 test test 4096 Oct 15 18:17 dir/
-bash-4.2$ getfacl dir
# file: dir
# owner: test
# group: test
user::rwx
group::r-x
other::---
-bash-4.2$ setfacl -m user:arif:rwx dir
-bash-4.2$ getfacl --omit-header dir
user::rwx
user:arif:rwx
group::r-x
mask::rwx
other::---
So what is the purpose of mask
here?
linux permissions acl umask
linux permissions acl umask
asked 3 hours ago
muhammad
514514
514514
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
4
down vote
According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.
For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.
So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx
the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x
, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx
which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.
Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch
system call, and it passes code 0777 to mkdir
system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.
More 1 2
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.
For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.
So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx
the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x
, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx
which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.
Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch
system call, and it passes code 0777 to mkdir
system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.
More 1 2
add a comment |Â
up vote
4
down vote
According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.
For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.
So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx
the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x
, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx
which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.
Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch
system call, and it passes code 0777 to mkdir
system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.
More 1 2
add a comment |Â
up vote
4
down vote
up vote
4
down vote
According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.
For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.
So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx
the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x
, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx
which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.
Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch
system call, and it passes code 0777 to mkdir
system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.
More 1 2
According to acl man
ACL Mask denotes access rights that can be granted by entries of type, so the mask contain information about access permissions. In ACL there are an extended set of permissions.
For example, In POSIX each file or directory has an owner, group, and other with read, write, and executable permissions. While ACL add additional access permissions, called "mask" and can be used to define additional groups/users and extended permissions.
So the mask field here only applies to the additional permissions you have given to the user and groups. If the mask is set to rwx
the read, write and execute permissions will be granted to additional user/groups. If the mask is set to r-x
, the write permission will not be granted to additional user/groups.In general, it is recommended not to set mask to anything other than rwx
which is the default value. The mask value doesn't affect the standard UNIX user/group/others permissions.
Scenario #1 above represent file permissions, and scenario #2 is for folder permissions.
At the kernel level, file creation passes code 0666 to touch
system call, and it passes code 0777 to mkdir
system call during folder creation, and this way permissions are set to files and folders differently. This difference in the setup of permissions at the kernel level make folders and files behave differently, meaning a folder can inherit its permissions from a parent folder, but a file can't, for example, we need to set a file permissions to make it executable.
More 1 2
edited 2 hours ago
answered 3 hours ago
Goro
9,54164689
9,54164689
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f475698%2fwhat-is-the-exact-purpose-of-mask-in-file-system-acl%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password