Tuesday, 2 July 2013

Solaris ACL (Access Control List)
Basically a file has one owner, one group and others, and there are read/write/execute (rwx) permissions assigned to them respectively. Is it possible to provide the required permission to access one dir/file without changing or impacting on its own default permission?. Yes, we can do that in ACL. ACL's provide us the choice to be decided about who can do what with a file or group of files. How can we find out whether ACL options has set to that file/directories? In the following example shows that the file which is end up with the "+" sign that files is using the ACL options.

There are TWO types of file ACL's in Solaris: POSIX (Portable Operating System Interface) and NFSv4 ACL. In this article we are going to discuss about the latest feature of ACL. Regarding Old type of ACL (getfacl, setfacl), we will go through on another post.

If you tried the Old ACL method on Zfs file, you will get the below error messages
bash-3.00# getfacl acl_unixrock
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.
bash-3.00#
If you tried the New ACL method on UFS/Vxfs file, you will get the below error messages
bash-3.00# chmod A+user:raj:read_attributes:allow /export/zones/zone1
chmod: ERROR: Different file system ACL types cannot be merged
bash-3.00#
Key Points :
Trivial ACL – Contains only traditional UNIX user, group, and owner entries
Non-Trivial ACL – Contains more entries than just owner, group, and everyone.
ACEs -  Access Control Entries

ACL Entry TypeDescription
owner@Specifies the access granted to the owner of the object.
group@Specifies the access granted to the owning group of the object.
everyone@Specifies the access granted to any user or group that does not match any other ACL entry.
userWith a user name, specifies the access granted to an additional user of the object. Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid.
groupWith a group name, specifies the access granted to an additional group of the object. Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid.


Access PrivilegeCompact Access PrivilegeDescription
add_filewPermission to add a new file to a directory.
add_subdirectorypOn a directory, permission to create a subdirectory.
append_datapPlaceholder. Not currently implemented.
deletedPermission to delete a file.
delete_childDPermission to delete a file or directory within a directory.
executexPermission to execute a file or search the contents of a directory.
list_directoryrPermission to list the contents of a directory.
read_aclcPermission to read the ACL (ls).
read_attributesaPermission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).
read_datarPermission to read the contents of the file.
read_xattrRPermission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory.
synchronizesPlaceholder. Not currently implemented.
write_xattrWPermission to create extended attributes or write to the extended attributes directory.Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute.
write_datawPermission to modify or replace the contents of a file.
write_attributesAPermission to change the times associated with a file or directory to an arbitrary value.
write_aclCPermission to write the ACL or the ability to modify the ACL by using the chmod command.
write_owneroPermission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.

Inheritance FlagCompact Inheritance FlagDescription
file_inheritfOnly inherit the ACL from the parent directory to the directory's files.
dir_inheritdOnly inherit the ACL from the parent directory to the directory's subdirectories.
inherit_onlyiInherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.
no_propagatenOnly inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, thedir_inherit flag, or both, to indicate what to inherit.
-N/ANo permission granted.
This is taken from ACL Model
Don’t be anxious about the above tabular contents, we will make it easiest way to understand about the New ACL.
Lets start have fun with newly created files on zfs. Here we can find the ACL permission for file and directories.
bash-3.00# ls -ltr
total 7
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file2
-rw-r--r--   1 root     root           0 Jul  3 00:32 file3
-rw-r--r--   1 root     root           0 Jul  3 00:32 file4
-rw-r--r--   1 root     root           0 Jul  3 00:32 file5
-rw-r--r--   1 root     root           0 Jul  3 00:32 file6
-rw-r--r--   1 root     root           0 Jul  3 00:32 file7
bash-3.00#
bash-3.00#
bash-3.00# ls -lv file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow
bash-3.00#
also we can summarized the same with below command.
bash-3.00# ls -V file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow
bash-3.00#
by executing "ls -vd" command, we can find the ACL permission for directories.
bash-3.00# ls -vd /test_acl
drwxr-xr-x   2 root     root           9 Jul  3 00:32 /test_acl
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@:add_file/write_data/add_subdirectory/append_data:deny
     3:group@:list_directory/read_data/execute:allow
     4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow
bash-3.00#
summarized view of ACL for directories
bash-3.00# ls -Vd /test_acl
drwxr-xr-x   2 root     root           9 Jul  3 00:32 /test_acl
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
bash-3.00#
I hope you understand basic of New ACL. Now we can provide/add the access (read/write/execute) to one user without changing the default permissions of the files.