Tuesday, 16 July 2013

In this article, we are going to discussing about the Solaris ACLs on ZFS files and directories. Let we can see the detailed manner of settings and displaying the ACLs on ZFS files by using "chmod" and "ls" commands. In the below example, we are going to provide a required access to one user without changing the default permission of the files/directories. Below files are owned by root, but application user (oraadm) also wanted  read/write/execute access on these files. is it possible to do that without changing the default permissions ? yes, we can do it. Let we can try for one file (file1) and do it for other files as well for the same.
bash-3.00# ls -ld unixrock_acl
drwxr-xr-x   2 root     root           9 Jul  3 00:32 unixrock_acl
bash-3.00#
bash-3.00# cd unixrock_acl
bash-3.00# ls -ltr
total 7
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file2
-rw-r--r--   1 root     root           0 Jul  3 00:32 file3
-rw-r--r--   1 root     root           0 Jul  3 00:32 file4
-rw-r--r--   1 root     root           0 Jul  3 00:32 file5
-rw-r--r--   1 root     root           0 Jul  3 00:32 file6
-rw-r--r--   1 root     root           0 Jul  3 00:32 file7
bash-3.00#
First check the current permission status as like below
bash-3.00# ls -lv file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     2:group@:write_data/append_data/execute:deny
     3:group@:read_data:allow
     4:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow
bash-3.00#
Details of this file ACL is given below
0:owner@ Represent that deny permission is empty.
1:owner@ Represent that owner can read, write, append and modify the file contents and owner can change the ownership of the file.
2:group@ Represent that group is deny to write, append and execute.
3:group@ Represent that group is allow to read.
4:everyone@ Represent that everyone deny to write, append, execute and modify the file contents.
5:everyone@ Represent that everyone is having read permissions.

Adding ACLs entries for one user (Oraadm) for one file (file1)
bash-3.00# chmod A+user:oraadm:read_data/write_data/execute/append_data/write_xattr/write_attributes/write_acl/write_owner:allow file1
bash-3.00#
bash-3.00# ls -V file1
-rw-r--r--+  1 root     root           0 Jul  3 00:32 file1
       user:oraadm:rwxp---A-W-Co-:------:allow
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow
bash-3.00#
Now "oraadm" user is having the read/write/execute permission to the "file1". Don't be fright, we can simplify the command usages as given below. Please refer ACL ID entries http://www.unixrock.com/2013/07/administration-of-solaris-acl-access.html
bash-3.00# chmod A+user:oraadm:rwxpAWCo:allow file1
bash-3.00#
bash-3.00# ls -lv file1
-rw-r--r--+  1 root     root           0 Jul  3 00:32 file1
     0:user:oraadm:read_data/write_data/append_data/write_xattr/execute
         /write_attributes/write_acl/write_owner:allow
     1:user:oraadm:read_data/write_data/append_data/write_xattr/execute
         /write_attributes/write_acl/write_owner:allow
     2:owner@:execute:deny
     3:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl/write_owner:allow
     4:group@:write_data/append_data/execute:deny
     5:group@:read_data:allow
     6:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow
bash-3.00#
This is the way we can add the required permission to one user. let we can see to remove the same permission from ACL.
bash-3.00# chmod A-user:oraadm:read_data/write_data/execute/append_data/write_xattr/write_attributes/write_acl/write_owner:allow file1
bash-3.00#
bash-3.00# ls -V file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow
bash-3.00#
we can also try the same in below method.
bash-3.00# chmod A-user:oraadm:rwxpAWCo:allow file1
bash-3.00#
bash-3.00# ls -V file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file1
            owner@:--x-----------:------:deny
            owner@:rw-p---A-W-Co-:------:allow
            group@:-wxp----------:------:deny
            group@:r-------------:------:allow
         everyone@:-wxp---A-W-Co-:------:deny
         everyone@:r-----a-R-c--s:------:allow
bash-3.00#
let we can see the procedure to adding ACLs entries for one user (Oraadm) for one directory.
bash-3.00# ls -dv unixrock_acl
drwxr-xr-x   2 root     root           9 Jul  3 00:32 unixrock_acl
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@:add_file/write_data/add_subdirectory/append_data:deny
     3:group@:list_directory/read_data/execute:allow
     4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow
bash-3.00#
bash-3.00# ls -dV unixrock_acl
drwxr-xr-x   2 root     root           9 Jul  3 00:32 unixrock_acl
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
bash-3.00#
below example read_data/execute permissions are added for user "oraadm" for one directory "unixrock_acl"
bash-3.00# chmod A+user:oraadm:read_data/execute:allow unixrock_acl
bash-3.00#
bash-3.00# ls -vd unixrock_acl
drwxr-xr-x+  2 root     root           9 Jul  3 00:32 unixrock_acl
     0:user:oraadm:list_directory/read_data/execute:allow
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow
bash-3.00#
If sub-directories are creating under the “unixrock_acl” folder, then ACE (Access Control Entries) will not be propagated for the user “oradm”. “Oradm” will not be having the permission on newly created sub folders under unixrock_acl.
bash-3.00# ls -ld unixrock_acl
drwxr-xr-x+  2 root     root           9 Jul  3 00:32 unixrock_acl
bash-3.00# cd unixrock_acl
bash-3.00# mkdir test_unixrock
bash-3.00#
bash-3.00# ls -ld test_unixrock
drwxr-xr-x   2 root     root           2 Jul 11 23:15 test_unixrock
bash-3.00#
To Overcome on this we have to add the inherit flags in ACL as given below
bash-3.00# chmod A0=user:oraadm:list_directory/read_data/execute:file_inherit/dir_inherit/inherit_only:allow unixrock_acl
bash-3.00#
bash-3.00# ls -vd unixrock_acl
drwxr-xr-x+  3 root     root          10 Jul 11 23:15 unixrock_acl
     0:user:oraadm:list_directory/read_data/execute:file_inherit/dir_inherit
         /inherit_only:allow
     1:owner@::deny
     2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     3:group@:add_file/write_data/add_subdirectory/append_data:deny
     4:group@:list_directory/read_data/execute:allow
     5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow
bash-3.00#
Let we can create a sub-directory test_unixrock2 under the unixrock_acl folder.
bash-3.00# cd unixrock_acl
bash-3.00# ls -ltr
total 13
-rw-r--r--+  1 root     root           0 Jul  3 00:32 file1
-rw-r--r--   1 root     root           0 Jul  3 00:32 file2
-rw-r--r--   1 root     root           0 Jul  3 00:32 file3
-rw-r--r--   1 root     root           0 Jul  3 00:32 file4
-rw-r--r--   1 root     root           0 Jul  3 00:32 file5
-rw-r--r--   1 root     root           0 Jul  3 00:32 file6
-rw-r--r--   1 root     root           0 Jul  3 00:32 file7
drwxr-xr-x   2 root     root           2 Jul 11 23:15 test_unixrock
drwxr-xr-x+  2 root     root           2 Jul 11 23:35 test_unixrock2
bash-3.00#
bash-3.00# ls -Vd test_unixrock2
drwxr-xr-x+  2 root     root           2 Jul 11 23:35 test_unixrock2
       user:oraadm:r-x-----------:fdi---:allow
       user:oraadm:--------------:------:deny
       user:oraadm:r-x-----------:------:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:-w-p----------:------:deny
            group@:r-x-----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow
bash-3.00#
we have successfully provided the required access to one user without changing the default permission of files and directories and its sub-directories as well. Thanks for reading this article.