All the commands are fired from (% - user) prompt not (# - root) so do not confuse with the #es there with root prompt. They are the command output.
The ACL facility allows you to define more than just the usual eight permission bits for a file or directory. You can define a list of users (based on user-id or name) and groups (again, number or name) that you want to have access to a file. For each user or group getting special access, you can define read, write, or execute access permission.
There are only two commands that you need to learn for Solaris ACLs. They are setfacl
for setting a file's ACLs and getfacl
for reading them. There are also a bunch of system and library calls that make the ACL facility available to programs. One confusing aspect of ACLs is that, in essence, every file already has an ACL entry. Running getfacl
on a normal file reveals some ACL information:
% cd /usr/tmp
% touch foo
% ls -l foo
-rw-r--r-- 1 pbg staff 0 Jul 22 13:35 foo
% getfacl foo
# file: foo
# owner: pbg
# group: staff
user::rw-
group::r-- #effective:r--
mask:rwx
other:r--
This ACL information is merely getfacl
's interpretation of the Unix permissions on the file. The user, group
and other
information is a straightforward display of the permission bits for those fields. The mask
field is very similar to the Unix umask
method. It defines the maximum permissions allowed for users (other than the owner) and groups. Even if a user or group has permissions set that exceed the mask, the mask limits their access. The #effective
display shows, for each user (except the owner) and group, the effect that the mask has on the permissions. The #effective
output is the one to look at to determine exactly who can access the file and exactly what they are allowed to do.
To set an ACL for a file, use the command setfacl
:
% setfacl -m user:jeff:rw- foo
% ls -l foo
-rw-r--r--+ 1 pbg staff 0 Jul 22 13:52 foo
% getfacl foo
# file: foo
# owner: pbg
# group: staff
user::rw-
user:jeff:rw- #effective:r--
group::r-- #effective:r--
mask:r--
other:r--
The -m
option tells setfacl
that I want to modify the ACLs for the file. Use the -s
option to set the entire mode, but then you must type in the user, group, and other access bits as well:
% setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:jeff:rw- foo
To set general user, group, and other permissions, use the field::perms
identifier. To set ACLs for individual users and groups, use the field:uid
or gid:perms
identifier.
But back to our previous example. Notice that the effective access for user Jeff is unchanged, he can still only read the file, not write to it. That's the result of the mask being applied to his permissions. To grant Jeff the access desired, I need to:
% setfacl -m mask:rw- foo
% getfacl foo
# file: foo
# owner: pbg
# group: staff
user::rw-
user:jeff:rw- #effective:rw-
group::r-- #effective:r--
mask:rw-
other:r--
Now Jeff has read and write permissions to the file, while all others have only read access. Of note is the slight change in behavior of the ls
command. Any file with specific ACL information is shown with a + at the end of the permission field. Unfortunately, find
doesn't seem to have an option to find all files with ACL lists.
As well as setting an ACL for the directory, you can set a default ACL for the directory. This default ACL is used to set the ACL on every file created within the directory. The only way I managed to get directory ACLs to work was using the -s
option with a very-long parameter string:
% setfacl -s user::rwx,group::rw-,mask:r--,other:rw-,default:user::rw-,\
default:group::r-x,default:mask:rwx,default:other:r-x bar
% ls -ld bar
drwxr--rw-+ 2 pbg staff 512 Jul 22 14:11 bar
% getfacl bar
# file: bar
# owner: pbg
# group: staff
user::rwx
group::rw- #effective:r--
mask:r--
other:rw-
default:user::rw-
default:group::r-x
default:mask:rwx
default:other:r-x
Now set a default ACL, and create a file in the directory:
% setfacl -m default:user:jeff:rwx bar
% getfacl bar
# file: bar
# owner: pbg
# group: staff
user::rwx
group::rw- #effective:r--
mask:r--
other:rw-
default:user::rw-
default:user:jeff:rwx
default:group::r-x
default:mask:rwx
default:other:r-x
default:user::rw-
default:user:jeff:rwx
default:group::r-x
default:mask:rwx
default:other:r-x
% touch bar/test
% getfacl bar/test
# file: bar/test
# owner: pbg
# group: staff
user::rw-
user:jeff:rwx #effective:r--
group::r-- #effective:r--
mask:r--
other:r--
There are several other aspects of ACLs, including deleting ACLs and using abbreviations and permission bit numbers (rather than symbols). This information is provided on the appropriate manual pages.
To use ACLs over an NFS mount, both the client and server must be running Solaris 2.5 or better. If the client is running 2.5 but the server is running 2.4 or lower, you'll see an error such as:
% touch foo
% getfacl foo
# file: foo
# owner: pbg
# group: staff
user::rw-
group::r-- #effective:r--
mask:rwx
other:r--
% setfacl -m user:jeff:rw- foo
foo: failed to set acl entries
setacl error: Operation not applicable
You'll get a similar error if you try to use ACLs in a swapfs-based directory (such as /tmp
). Finally, there's a "non-feature" of ACLs when used with tar
. tar
itself works well with files that have associated ACLs. Unfortunately, the tar file is not readable under previous SunOS and Solaris operating systems.
It is also important to note that ACLs "stick" to a file during copy and rename operations. To remove the ACL from a file use setfacl -d
for each entry. When the last entry is removed, the "+" disappears from the file's ls
display.
Powered by ScribeFire.
0 comments:
Post a Comment