There are TWO types of file ACL's in Solaris: POSIX (Portable Operating System Interface) and NFSv4 ACL. In this article we are going to discuss about the latest feature of ACL. Regarding Old type of ACL (getfacl, setfacl), we will go through on another post.
If you tried the Old ACL method on Zfs file, you will get the below error messages
bash-3.00# getfacl acl_unixrock File system doesn't support aclent_t style ACL's. See acl(5) for more information on Solaris ACL support. bash-3.00#
If you tried the New ACL method on UFS/Vxfs file, you will get the below error messages
bash-3.00# chmod A+user:raj:read_attributes:allow /export/zones/zone1 chmod: ERROR: Different file system ACL types cannot be merged bash-3.00#Key Points :
Trivial ACL – Contains only traditional UNIX user, group, and owner entries
Non-Trivial ACL – Contains more entries than just owner, group, and everyone.
ACEs - Access Control Entries
|ACL Entry Type||Description|
|owner@||Specifies the access granted to the owner of the object.|
|group@||Specifies the access granted to the owning group of the object.|
|everyone@||Specifies the access granted to any user or group that does not match any other ACL entry.|
|user||With a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid.|
|group||With a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid.|
|Access Privilege||Compact Access Privilege||Description|
|add_file||w||Permission to add a new file to a directory.|
|add_subdirectory||p||On a directory, permission to create a subdirectory.|
|append_data||p||Placeholder. Not currently implemented.|
|delete||d||Permission to delete a file.|
|delete_child||D||Permission to delete a file or directory within a directory.|
|execute||x||Permission to execute a file or search the contents of a directory.|
|list_directory||r||Permission to list the contents of a directory.|
|read_acl||c||Permission to read the ACL (ls).|
|read_attributes||a||Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).|
|read_data||r||Permission to read the contents of the file.|
|read_xattr||R||Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory.|
|synchronize||s||Placeholder. Not currently implemented.|
|write_xattr||W||Permission to create extended attributes or write to the extended attributes directory.Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute.|
|write_data||w||Permission to modify or replace the contents of a file.|
|write_attributes||A||Permission to change the times associated with a file or directory to an arbitrary value.|
|write_acl||C||Permission to write the ACL or the ability to modify the ACL by using the chmod command.|
|write_owner||o||Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.|
|Inheritance Flag||Compact Inheritance Flag||Description|
|file_inherit||f||Only inherit the ACL from the parent directory to the directory's files.|
|dir_inherit||d||Only inherit the ACL from the parent directory to the directory's subdirectories.|
|inherit_only||i||Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.|
|no_propagate||n||Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, thedir_inherit flag, or both, to indicate what to inherit.|
|-||N/A||No permission granted.|
Don’t be anxious about the above tabular contents, we will make it easiest way to understand about the New ACL.
Lets start have fun with newly created files on zfs. Here we can find the ACL permission for file and directories.
bash-3.00# ls -ltr total 7 -rw-r--r-- 1 root root 0 Jul 3 00:32 file1 -rw-r--r-- 1 root root 0 Jul 3 00:32 file2 -rw-r--r-- 1 root root 0 Jul 3 00:32 file3 -rw-r--r-- 1 root root 0 Jul 3 00:32 file4 -rw-r--r-- 1 root root 0 Jul 3 00:32 file5 -rw-r--r-- 1 root root 0 Jul 3 00:32 file6 -rw-r--r-- 1 root root 0 Jul 3 00:32 file7 bash-3.00# bash-3.00# bash-3.00# ls -lv file1 -rw-r--r-- 1 root root 0 Jul 3 00:32 file1 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes /write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow bash-3.00#also we can summarized the same with below command.
bash-3.00# ls -V file1 -rw-r--r-- 1 root root 0 Jul 3 00:32 file1 owner@:--x-----------:------:deny owner@:rw-p---A-W-Co-:------:allow group@:-wxp----------:------:deny group@:r-------------:------:allow everyone@:-wxp---A-W-Co-:------:deny everyone@:r-----a-R-c--s:------:allow bash-3.00#by executing "ls -vd" command, we can find the ACL permission for directories.
bash-3.00# ls -vd /test_acl drwxr-xr-x 2 root root 9 Jul 3 00:32 /test_acl 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr /write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow bash-3.00#summarized view of ACL for directories
bash-3.00# ls -Vd /test_acl drwxr-xr-x 2 root root 9 Jul 3 00:32 /test_acl owner@:--------------:------:deny owner@:rwxp---A-W-Co-:------:allow group@:-w-p----------:------:deny group@:r-x-----------:------:allow everyone@:-w-p---A-W-Co-:------:deny everyone@:r-x---a-R-c--s:------:allow bash-3.00#I hope you understand basic of New ACL. Now we can provide/add the access (read/write/execute) to one user without changing the default permissions of the files.