Solaris ACL (Access Control List)
Basically a file has one owner, one group and others, and there are read/write/execute (rwx) permissions assigned to them respectively. Is it possible to provide the required permission to access one dir/file without changing or impacting on its own default permission?. Yes, we can do that in ACL. ACL's provide us the choice to be decided about who can do what with a file or group of files. How can we find out whether ACL options has set to that file/directories? In the following example shows that the file which is end up with the "+" sign that files is using the ACL options.There are TWO types of file ACL's in Solaris: POSIX (Portable Operating System Interface) and NFSv4 ACL. In this article we are going to discuss about the latest feature of ACL. Regarding Old type of ACL (getfacl, setfacl), we will go through on another post.
If you tried the Old ACL method on Zfs file, you will get the below error messages
bash-3.00# getfacl acl_unixrock File system doesn't support aclent_t style ACL's. See acl(5) for more information on Solaris ACL support. bash-3.00#
If you tried the New ACL method on UFS/Vxfs file, you will get the below error messages
bash-3.00# chmod A+user:raj:read_attributes:allow /export/zones/zone1 chmod: ERROR: Different file system ACL types cannot be merged bash-3.00#Key Points :
Trivial ACL – Contains only traditional UNIX user, group, and owner entries
Non-Trivial ACL – Contains more entries than just owner, group, and everyone.
ACEs - Access Control Entries
| ACL Entry Type | Description |
|---|---|
| owner@ | Specifies the access granted to the owner of the object. |
| group@ | Specifies the access granted to the owning group of the object. |
| everyone@ | Specifies the access granted to any user or group that does not match any other ACL entry. |
| user | With a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. |
| group | With a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid. |
| Access Privilege | Compact Access Privilege | Description |
|---|---|---|
| add_file | w | Permission to add a new file to a directory. |
| add_subdirectory | p | On a directory, permission to create a subdirectory. |
| append_data | p | Placeholder. Not currently implemented. |
| delete | d | Permission to delete a file. |
| delete_child | D | Permission to delete a file or directory within a directory. |
| execute | x | Permission to execute a file or search the contents of a directory. |
| list_directory | r | Permission to list the contents of a directory. |
| read_acl | c | Permission to read the ACL (ls). |
| read_attributes | a | Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2). |
| read_data | r | Permission to read the contents of the file. |
| read_xattr | R | Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. |
| synchronize | s | Placeholder. Not currently implemented. |
| write_xattr | W | Permission to create extended attributes or write to the extended attributes directory.Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. |
| write_data | w | Permission to modify or replace the contents of a file. |
| write_attributes | A | Permission to change the times associated with a file or directory to an arbitrary value. |
| write_acl | C | Permission to write the ACL or the ability to modify the ACL by using the chmod command. |
| write_owner | o | Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required. |
| Inheritance Flag | Compact Inheritance Flag | Description |
|---|---|---|
| file_inherit | f | Only inherit the ACL from the parent directory to the directory's files. |
| dir_inherit | d | Only inherit the ACL from the parent directory to the directory's subdirectories. |
| inherit_only | i | Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit. |
| no_propagate | n | Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, thedir_inherit flag, or both, to indicate what to inherit. |
| - | N/A | No permission granted. |
Don’t be anxious about the above tabular contents, we will make it easiest way to understand about the New ACL.
Lets start have fun with newly created files on zfs. Here we can find the ACL permission for file and directories.
bash-3.00# ls -ltr
total 7
-rw-r--r-- 1 root root 0 Jul 3 00:32 file1
-rw-r--r-- 1 root root 0 Jul 3 00:32 file2
-rw-r--r-- 1 root root 0 Jul 3 00:32 file3
-rw-r--r-- 1 root root 0 Jul 3 00:32 file4
-rw-r--r-- 1 root root 0 Jul 3 00:32 file5
-rw-r--r-- 1 root root 0 Jul 3 00:32 file6
-rw-r--r-- 1 root root 0 Jul 3 00:32 file7
bash-3.00#
bash-3.00#
bash-3.00# ls -lv file1
-rw-r--r-- 1 root root 0 Jul 3 00:32 file1
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
bash-3.00#
also we can summarized the same with below command.bash-3.00# ls -V file1
-rw-r--r-- 1 root root 0 Jul 3 00:32 file1
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
bash-3.00#
by executing "ls -vd" command, we can find the ACL permission for directories.bash-3.00# ls -vd /test_acl
drwxr-xr-x 2 root root 9 Jul 3 00:32 /test_acl
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
bash-3.00#
summarized view of ACL for directoriesbash-3.00# ls -Vd /test_acl
drwxr-xr-x 2 root root 9 Jul 3 00:32 /test_acl
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
bash-3.00#
No comments:
Post a Comment