Access Control List + Solaris

All the commands are fired from (% – user) prompt not (# – root) so do not confuse with the #es there with root prompt. They are the command output.

The ACL facility allows you to define more than just the usual eight permission bits for a file or directory. You can define a list of users (based on user-id or name) and groups (again, number or name) that you want to have access to a file. For each user or group getting special access, you can define read, write, or execute access permission.

There are only two commands that you need to learn for Solaris ACLs. They are setfacl for setting a file’s ACLs and getfacl for reading them. There are also a bunch of system and library calls that make the ACL facility available to programs. One confusing aspect of ACLs is that, in essence, every file already has an ACL entry. Running getfacl on a normal file reveals some ACL information:

% cd /usr/tmp% touch foo% ls -l foo-rw-r–r– 1 pbg staff 0 Jul 22 13:35 foo % getfacl foo
# file: foo# owner: pbg# group: staffuser::rw-group::r– #effective:r–mask:rwxother:r–

This ACL information is merely getfacl‘s interpretation of the Unix permissions on the file. The user, group and other information is a straightforward display of the permission bits for those fields. The mask field is very similar to the Unix umask method. It defines the maximum permissions allowed for users (other than the owner) and groups. Even if a user or group has permissions set that exceed the mask, the mask limits their access. The #effective display shows, for each user (except the owner) and group, the effect that the mask has on the permissions. The #effective output is the one to look at to determine exactly who can access the file and exactly what they are allowed to do.

To set an ACL for a file, use the command setfacl:

% setfacl -m user:jeff:rw- foo % ls -l foo-rw-r–r–+ 1 pbg staff 0 Jul 22 13:52 foo % getfacl foo

# file: foo# owner: pbg# group: staffuser::rw-user:jeff:rw- #effective:r–group::r– #effective:r–mask:r–other:r–

The -m option tells setfacl that I want to modify the ACLs for the file. Use the -s option to set the entire mode, but then you must type in the user, group, and other access bits as well:

% setfacl -s user::rw-,group::r–,other:—,mask:rw-,user:jeff:rw- foo

To set general user, group, and other permissions, use the field::perms identifier. To set ACLs for individual users and groups, use the field:uid or gid:perms identifier.

But back to our previous example. Notice that the effective access for user Jeff is unchanged, he can still only read the file, not write to it. That’s the result of the mask being applied to his permissions. To grant Jeff the access desired, I need to:

% setfacl -m mask:rw- foo% getfacl foo # file: foo# owner: pbg# group: staffuser::rw-user:jeff:rw- #effective:rw-group::r– #effective:r–mask:rw-other:r–

Now Jeff has read and write permissions to the file, while all others have only read access. Of note is the slight change in behavior of the ls command. Any file with specific ACL information is shown with a + at the end of the permission field. Unfortunately, find doesn’t seem to have an option to find all files with ACL lists.

As well as setting an ACL for the directory, you can set a default ACL for the directory. This default ACL is used to set the ACL on every file created within the directory. The only way I managed to get directory ACLs to work was using the -s option with a very-long parameter string:

% setfacl -s user::rwx,group::rw-,mask:r–,other:rw-,default:user::rw-,\default:group::r-x,default:mask:rwx,default:other:r-x bar % ls -ld bardrwxr–rw-+ 2 pbg staff 512 Jul 22 14:11 bar % getfacl bar # file: bar# owner: pbg# group: staffuser::rwxgroup::rw- #effective:r–mask:r–other:rw-default:user::rw-default:group::r-xdefault:mask:rwxdefault:other:r-x

Now set a default ACL, and create a file in the directory:

% setfacl -m default:user:jeff:rwx bar % getfacl bar # file: bar# owner: pbg# group: staffuser::rwxgroup::rw- #effective:r–mask:r–other:rw-default:user::rw-default:user:jeff:rwxdefault:group::r-xdefault:mask:rwxdefault:other:r-xdefault:user::rw-default:user:jeff:rwxdefault:group::r-xdefault:mask:rwxdefault:other:r-x % touch bar/test % getfacl bar/test # file: bar/test# owner: pbg# group: staffuser::rw-user:jeff:rwx #effective:r–group::r– #effective:r–mask:r–other:r–

There are several other aspects of ACLs, including deleting ACLs and using abbreviations and permission bit numbers (rather than symbols). This information is provided on the appropriate manual pages.

To use ACLs over an NFS mount, both the client and server must be running Solaris 2.5 or better. If the client is running 2.5 but the server is running 2.4 or lower, you’ll see an error such as:

% touch foo% getfacl foo # file: foo# owner: pbg# group: staffuser::rw-group::r– #effective:r–mask:rwxother:r– % setfacl -m user:jeff:rw- foofoo: failed to set acl entriessetacl error: Operation not applicable

You’ll get a similar error if you try to use ACLs in a swapfs-based directory (such as /tmp). Finally, there’s a “non-feature” of ACLs when used with tar. tar itself works well with files that have associated ACLs. Unfortunately, the tar file is not readable under previous SunOS and Solaris operating systems.

It is also important to note that ACLs “stick” to a file during copy and rename operations. To remove the ACL from a file use setfacl -d for each entry. When the last entry is removed, the “+” disappears from the file’s ls display.

Leave a Comment