Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Unix Access Control Lists (ACL)

News Editorial Recommended Links Recommended Papers Tutorials Unix permissions model
Solaris ACLs Solaris RBAC Linux ACLs   Humor Etc

For an intro see Slightly Skeptical view on Unix Access Control Lists. Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.

The Red Hat Enterprise Linux 4 kernel provides ACL support for the ext3 file system and NFS-exported file systems. ACLs are also recognized on ext3 file systems accessed via Samba.

Along with support in the kernel, the acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.

The cp and mv commands copy or move any ACLs associated with files and directories.

In Red Hat before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext3 file system, it can mounted with the following command: 
mount -t ext3 -o acl  <device-name> <partition>

For example: 

mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work

Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acl option: 

LABEL=/work      /work       ext3    acl        1 2

If an ext3 file system is accessed via Samba and ACLs have been enabled for it, the ACLs are recognized because Samba has been compiled with the --with-acl-support option. No special flags are required when accessing or mounting a Samba share.

By default, if the file system being exported by an NFS server supports ACLs and the NFS client can read ACLs, ACLs are utilized by the client system.

To disable ACLs on NFS shares when configuring the server, include the no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.

There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.

ACLs can be configured:

  1. Per user
  2. Per group
  3. Via the effective rights mask
  4. For users not in the user group for the file

The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory: 

setfacl -m <rules> <files>

Rules (<rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.

u:<uid>:<perms>
Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
g:<gid>:<perms>
Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.
m:<perms>
Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
o:<perms>
Sets the access ACL for users other than the ones in the group for the file.

Whitespace is ignored. Permissions (<perms>) must be a combination of the characters r, w, and x for read, write, and execute.

If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.

For example, to give read and write permissions to user tfox: 

setfacl -m u:tfox:rw /project/somefile

To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions: 

setfacl -x <rules> <files>

For example, to remove all permissions from the user with UID 500: 

setfacl -x u:500 /project/somefile

Old News ;-)

Re Linux ACLs

From: John Valdes
Subject: Re: Linux ACLs
Date: Tue, 26 Oct 2004 22:34:59 -0500
User-agent: Mutt/1.2.5i 
On Tue, Oct 26, 2004 at 09:22:51PM +0200, address@bogus.example.com wrote:
> 
> On 26 Oct, Philippe wrote:
> > 
> >> Are you looking at the POSIX 1003.1e ACLs in the ext2/3 filesystem or SE
> >> Linux stuff?
> > 
> > I thought the Linux ACL followed the Posix recommendations. This was 
> > discussed a couple of weeks ago with Mark. I think Mark has considered 
> > looking the Linux ACL API seriously.
> 
> I searched high and low for the POSIX API and it still does not make
> sense to me. There is no real documentation and the little I have
> found does not agree with what I find on my own systems, so I
> don't know what to do yet.

I've only taken a cursory look at Linux ACLs (and ACLs in general), so
the following may not be totally correct.  Solaris's & Linux's ACL
implementations have similar command interfaces (eg, "getfacl" and
"setfacl" commands w/ similar syntax & output), and for the most part
follow the POSIX 1003.2c ACL recommendations, but the ACL APIs used
are quite different.  Linux's seems to be modeled after that last (and
withdrawn) draft (17) of the POSIX 1003.1e recommendation.  From what
I've read, Solaris's API is based on an earlier and apparently much
simpler API.  

The primary repository of info on Linux's implementation of ACLs is
<http://acl.bestbits.at/>.  There are copies of all the relevant
manpages there (commands, system calls, and library functions), plus a
link to a paper presented at USENIX 2003 which talks about the state
of POSIX ACLs on Linux (<http://www.suse.de/~agruen/acl/linux-acls/>)
as of the time of writing.  There are also links to the POSIX draft
documents, FWTW.  The ACL patches and information presented on this
site are what were implemented in the 2.6 linux kernel (and in
SELinux), so regardless of what becomes of the POSIX ACL "standard",
it seems that this will be/is the Linux ACL standard (at least for
now; we are talking about Linux afterall ;) ).  Note that besides the
2.6 kernel, I believe RedHat >= 8.0 as well as newer versions of SuSE
at a minimum included ACL support in their shipping 2.4.x kernels.

BTW, the FreeBSD ACL API appears to be similar to the Linux API, and
I'm guessing that the Mac OS X API if/when that comes will follow the
FreeBSD one, so it looks like there'll be no avoiding the more
complicated API if one wants cross-platform ACL support in
cfengine... ;)

John

a-sct-attributes

Date:	Tue, 24 Oct 2000 12:21:04 +0100
From:	"Stephen C. Tweedie" <sct@redhat.com>
To:	Andreas Gruenbacher <ag@bestbits.at>
Subject: Re: [PROPOSAL] Extended attributes for Posix security extensions

Hi,

On Sun, Oct 22, 2000 at 04:23:53PM +0200, Andreas Gruenbacher wrote:
> 
> This is a proposal to add extended attributes to the Linux kernel.
> Extended attributes are name/value pairs associated with inodes.

What timing --- we had a long discussion (actually, several!) about
this very topic at the Miami storage workshop last week.

One of the main goals we had in getting people together to talk about
extended attributes in general, and ACLs in particular, was to deal
with the API issues cleanly.  In particular, we really want the API to
be at the same time:

   * General enough to deal with all of the existing,
     mutually-incompatible semantics for ACLs and attributes; and

   * Specific enough to define the requested semantics unambiguously
     for any one given implementation of the underlying attributes.

These points are really important.  We have people wanting to add ACL
support to ext2 in a manner which Samba can use --- can we do POSIX
ACLs with NT SID identifiers rather than with unix user ids?  If we
mount an NTFS filesystem, it will have native ACLs on disk.  How does
the API speficy that we want NT semantics, not POSIX semantics, for a
given request?

There is also the naming issue.  There are multiple independent
namespaces.  For extended attributes, there may be totally separate
namespaces for user attributes and for system ones, or there may be a
common namespace with per-attribute system status.  Again, these
different sets of semantics _already exist_ on filesystems which Linux
can mount (eg. NTFS, JFS and XFS), so the API has to deal with them.

There is already a kernel API which has this flexibility: the BSD
socket API handles these issues through the concepts of protocol
families and address families.  Those same two concepts are perfectly
matched to the extended attributes problem.


The proposal defines two "families" of attribute entities: attribute
families and name families.

An attribute family might be ATR_USER or ATR_SYSTEM to specify that we
are dealing with arbitrary user or system named extended attributes,
or ATR_POSIXACL to specify POSIX-semantics ACLs.  Obviously, this can
be extended to other ACL semantics without revving the API --- a new
attribute family would be all that is needed.

The "name family" is the other part of the equation.  Attributes in
the ATR_USER or ATR_SYSTEM families might be named with counted
strings, so they would have names in the ANAME_STRING name family.
POSIX ACLs, however, have a different namespace: ANAME_UID or
ANAME_GID.  The API cleanly deals with the difference between user and
group ACLs.  It also makes it easy to add support later on for more
complex operations: if we want to add NT SID support to ext2 ACLs so
that Samba and local accesses get the same access control, we can pass
ANAME_NTSID names to the ATR_POSIXACL attribute family without
changing the API.

Obviously the combinations of name types supported for any given
attribute family will depend on the underlying implementation, but
that's the whole point --- the API is expressive enough to define
unambiguously what the application is trying to do, so that if the
underlying filesystem doesn't support (say) POSIX ACLs, we get an
error back telling us so rather than attempting to do an incomplete
map of the POSIX request onto whatever the underlying filesystem
happens to support.


Before we look at the syscall API in detail, there's one other point
to note.  It is common to want to read or set one individual attribute
in isolation (even if it is an atomic set-and-get which is being
performed on that attribute).  Sometimes, however, you want to access
the entire set of related attributes as an ordered list.  ACLs are the
obvious case: if you have underlying semantics which allow you to mix
both PASS and DENY ACLs on a file, then the order of the ACLs
obviously matters.  

In such cases, you may sometimes want just to query or set the ACL for
a specific user, but often you will want to do something more complex
such as change the order of ACLs on the list or replace the entire
list as a single entity --- and you want to do so atomically.  So, the
simple "SET" and "GET" operations on named attributes (which
correspond to writing and reading the ACLs for specific named users in
the ATR_POSIXACL family) need to be augmented with SET variants which
append or prepend to the ACL list, or which atomically replace the old
ACL list in its entirety.


Our proposed kernel API looks something like this:

	sys_setattr (char *filename, int attrib_family, int op, 
		     struct attrib *old_attribs, int *old_lenp,
		     struct attrib *new_attribs, int new_len);

	sys_fsetattr(int fd, int attrib_family, int op, 
		     struct attrib *old_attribs, int *old_lenp,
		     struct attrib *new_attribs, int new_len);

where <op> can be

	ATR_SET		overwrite existing attribute
	ATR_GET		read existing attribute
	ATR_GETALL	read entire ordered attribute list (ignores new val)
	ATR_PREPEND	add new attribute to start of ordered list
	ATR_APPEND	add new attribute to end of ordered list
	ATR_REPLACE	replace entire ordered attribute list

and where <attribs> is a buffer of length <len> bytes of variable
length struct attrib records:

struct attrib {
	int	rec_len;		/* Length of the whole record:
					   should be padded to long
					   alignment */
	int	name_family;		/* Which namespace is the name in? */
	int	name_len;
	int	val_len;
	char	name[variable];		/* byte-aligned */
	char	val[variable];		/* byte-aligned */
};

ATR_SET will overwrite an existing attribute, or if the attribute does
not already exist, will append the new attribute (ie. it does not
override existing ACL controls, in keeping with the Principle of Least
Surprise).  If multiple instances of the name already exist, then the
first one is replaced and subsequent ones deleted.  If supplied with
an "old" buffer, all old attributes of that name will be returned.

For the PREPEND/APPEND/REPLACE operations, the entire old attribute
set is returned.

For GET, the <new> specification is read and all attributes which
match any items in <new> are returned, in the order in which they are
specified in <new>.  The actual value in <new> is ignored; only the
name is used.

For GETALL, <new> is ignored entirely.

*old_lenp should contain the size of the old attributes buffer on
entry.  It will contain the number of valid bytes in the old buffer on
exit.  If the buffer is not sufficiently large to contain all of the
attributes, E2BIG is returned.


This is just a first stab at documenting what feels like an
appropriate API.  It should be extensible enough for the future, but
is pretty easy to code to already --- existing filesystems don't have
to deal with any complexity they don't want to. 

Additionally, the use of well-defined namespaces for attributes means
that in the future we can implement things like common code for
generic attribute caching, or process authentication groups for
non-Unix-ID authentication tokens, without having to duplicate all of
that work in each individual filesystem.


The extended attribute patch currently on the acl-devel group simply
doesn't give us the ability to do extended attributes on any
filesystem other than ext2, because it has such specific semantics.
I'd rather avoid that, and I'd rather do so without adding a profusion
of different ACL and attribute syscalls in the process.

Cheers,
 Stephen
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org

Recommended Links

In case of broken links please try to use Google search. If you find the page please notify us about new location
Google     

Recommended Papers

***** POSIX Access Control Lists on Linux by Andreas Grünbacher

Traditionally, systems that support the POSIX (Portable Operating System Interface) family of standards [11,2] share a simple yet powerful file system permission model: Every file system object is associated with three sets of permissions that define access for the owner, the owning group, and for others. Each set may contain Read (r), Write (w), and Execute (x) permissions. This scheme is implemented using only nine bits for each object. In addition to these nine bits, the Set User Id, Set Group Id, and Sticky bits are used for a number of special cases. Many introductory and advanced texts on the UNIX operating system describe this model [19].

Although the traditional model is extremely simple, it is sufficient for implementing the permission scenarios that usually occur on UNIX systems. System administrators have also found several workarounds for the model's limitations. Some of these workarounds require nonobvious group setups that may not reflect organizational structures. Only the root user can create groups or change group membership. Set-user-ID root utilities may allow ordinary users to perform some administrative tasks, but bugs in such utilities can easily lead to compromised systems. Some applications like FTP daemons implement their own extensions to the file system permission model [15]. The price of playing tricks with permissions is an increase in complexity of the system configuration. Understanding and maintaining the integrity of systems becomes more difficult.

Engineers have long recognized the deficiencies of the traditional permission model and have started to think about alternatives. This has eventually resulted in a number of Access Control List (ACL) implementations on UNIX, which are only compatible among each other to a limited degree.

This paper gives an overview of the most successful ACL scheme for UNIX-like systems that has resulted from the POSIX 1003.1e/1003.2c working group.

After briefly describing the concepts, some examples of how these are used are given for better understanding. Following that, the paper discusses Extended Attributes, the abstraction layer upon which ACLs are based on Linux. The rest of the paper deals with implementation, performance, interoperability, application support, and system maintenance aspects of ACLs.

The author was involved in the design and implementation of extended attributes and ACLs on Linux, which covered the user space tools and the kernel implementation for Ext2 and Ext3, Linux's most prominent file systems. Parts of the design of the system call interface are attributed to Silicon Graphics's Linux XFS project, particularly to Nathan Scott.

ACLs Support in Linux

Q: Is there support for ACLs (Access Control Lists) in Linux?

A: Yes, there is — from multiple development projects, with divergent approaches, all aiming to allow the administrator some means of specifying what capabilities a process is to be allowed, and other fine-grained permissions (including Mandatory Access Control labels, Capabilities, and auditing information). At this time (May 2001), all require modifications (third-party, unofficial kernel patches) to the Linux kernel's filesystem and VFS code (umask and access-control modifications), which sometimes take a while to catch up with new kernel releases. The kernel maintainers have not endorsed any one approach. Thus, implementing any of these approaches remains an advanced topic using experimental code.

Further, there is not broad agreement on what filesystem it is best to use with ACLs. The obvious choices are ext2 + extended-attributes extensions, Steven Tweedie's ext3 (ftp://ftp.linux.org.uk/pub/linux/sct/fs/jfs/), the AFS implementations from IBM/Transarc (http://www.openafs.org/) or the Arla Project (http://www.stacken.kth.se/projekt/arla/), GFS (http://www.globalfilesystem.org/), SGI's XFS (http://linux-xfs.sgi.com/projects/xfs/), or ReiserFS (http://www.namesys.com/).

Adding further confusion is that the leading candidate for an ACL standard, IEEE Std 1003.1e, was withdrawn by the IEEE/PASC/SEC working group while it was still a draft, on Jan. 15, 1998, and thus was never formally included in POSIX (http://wt.xpilot.org/publications/posix.1e/). It nonetheless remains influential.

Generic "capabilities" support is included in 2.2 and greater kernels, including a control in /proc called the "capabilities bounding set". Many "capabilities" operations will also require libcap, a library for getting and setting POSIX 1003.1e-type capabilities, which you can find at ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/ . See also the Linux Kernel Capabilities FAQ: ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt .

The VFS patches, filesystems extensions or other filesystem facilities to store ACLs, patches for fsck utilities (preventing them from "cleaning up" your extended attributes), patches for GNU fileutils, patches for the quota tools, and administrative tools must be provided by the various unofficial ACL-on-Linux projects, of which there are several.

In addition to applying any applicable patches to your kernel, you will have to enable three kernel-configuration options (all in the "filesystems" section): "Extended filesystem attributes" (CONFIG_FS_EXT_ATTR), "Access Control Lists" (CONFIG_FS_POSIX_ACL) and "Extended attributes for ext2" (CONFIG_EXT2_FS_EXT_ATTR). In order to be offered these configuration options, you must also select "Prompt for development and/or incomplete code/drivers" (CONFIG_EXPERIMENTAL) in the code-maturity level options, towards the beginning of kernel configuration.

The AFS distributed storage system, originally developed at CMU, generically has built-in support for ACLs. As such, it seems reasonable to suspect that IBM/Transarc's leading AFS implementation on Linux, due to have an open-source (GPLed) development fork on the near future, would include ACL support. We have been unable to confirm that from Transarc's documentation, thus far. This may change as Transarc completes its open-source rollout. (Unfortunately, Transarc's open-source fork will have a licence problem that will prevent it shipping with Linux-based systems: It will be issued under the IBM Public Licence, which, although open source, is not compatible with the GNU General Public Licence the Linux kernel is issued under.)

The pre-existing Linux AFS project, the GPL-licenced Arla Project, has reportedly been moving slowly. The quality of its ACL support is likewise unknown.

The existing documentation for AFS on Linux, unfortunately, makes no mention of ACLs or capabilities support: http://sarn.org/docs/linux-afs/faq.html http://web.urz.uni-heidelberg.de/Veranstaltungen/LUG/Vortraege/AFS/AFS-HOWTO.html

There have been two main attempts to implement POSIX ACLs on ext2 + extensions. One was the LiVE Project, at http://aerobee.informatik.uni-bremen.de/acl_eng.html . That effort appears to be now defunct.

The other, and probably your best bet for ACLs on Linux today, is Andreas Gruenbacher's Linux ACLs project, http://acl.bestbits.at/ . Gruenbacher has a well-developed ACL implementation with storage extensions for ext2, linking the extended attributes to inodes, and with ACLs among the data storable in those extended attributes. He expects that porting his subsystem to ext3 will be easy.

The Samba Project favours/encourages Gruenbacher's approach, and as of April 2001, Samba 2.2 will support his ACLs implmentation, if supported in the Linux kernel. (See: http://lists.samba.org/archive/samba-technical/2000-April/007619.html , http://us1.samba.org/samba/whatsnew/samba-2.2.0.html .)

The Linux Trustees Project (http://trustees.sourceforge.net/) is a non-POSIX, memory-based approach, loading all extended-attributes information from a database at startup.

RSBAC (http://www.rsbac.de/) is another Linux project to implement non-POSIX ACLs, along with a number of other security-architecture goals.

Linux-Privs (http://sourceforge.net/projects/linux-privs/) is a project to implement the entire POSIX draft on Linux, and has moved slowly but is cooperating with Gruenbacher, resulting in part in these patches/utilities for 2.2.x and 2.4.x kernels by Linux kernel programmer Andrew G. Morgan (with some code by Gruenbacher): ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/

The ReiserFS and GFS maintainers are aware of the desirability of adding extended-attribute support to their filesystems, but have not yet done so. Hans Reiser is believed to favour a system implementing Macintosh-style resource streams/forks of artbitrary length to store the extended information, rather than extended-attribute storage within the filesystem structure.

Andreas Dilger has spoken of the Intermezzo distributed file system project (http://www.inter-mezzo.org/) in the near future implementing extended attributes similar to Gruenbacher's, making future ACL support on that filesystem (which is still in early beta) likely.

The XFS filesystem maintainers have built in full support for POSIX ACLs.

The LIDS Project (http://www.lids.org/) implements some "capabilities" ideas, but not ACLs.

Last, Pavel Machek maintains an "ELF capabilities" kernel patch and matching utilities, which allow the admin to strip specified capabilities from binary executables at execution time. It does not provide other ACL-type capabilities. The information on what capabilities to drop for a given binary upon execution is stored inside the ELF header, in a manner compatible with ordinary Linux operation. The advantage to this approach is that it does not require extended-attributes support in the underlying filesystem. Full details are at http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html

O'Reilly Network FreeBSD Access Control Lists

Access Control Lists (ACLs) solve these problems. They allow more flexibility than the standard Unix user/group/other set of permissions. ACLs have been available in commercial UNIXes such as IRIX and Solaris (and in Windows NT) for years. Now, thanks to the TrustedBSD project's work, ACLs are available in FreeBSD 5.0-RELEASE and beyond. Much of the information below applies, at least in part, to ACL implementations on other platforms; however, you will want to look at specific documentation to avoid being tripped up by differences in syntax. There shouldn't be many, as FreeBSD attempts to conform to the latest POSIX.1e draft.

22C116, Notes, Feb. 27, 1995

Under the classic MULTICS system, which was also used by the PRIMOS operating system, each file has an ACL, with access such as the following:

The read and write rights should be obvious.

The traverse right is used in the context of hierarchical directory structures. A user who has no right to read or write a directory can mention that directory in the path name of a file as long as the user has traverse rights to that directory -- the user is just passing through, but may not open the directory to list its contents.

The right to edit an access control list illustrates one approach to allowing the contents of the access control matrix to be modified. In a sense, all users with the right to edit the access control list of an object can be thought of as co-owners of the object. If one user (the legitimate owner of an object) grants the right to edit that object's ACL to another user, it is like granting the other user a power of attourny over the object.

Example: the UNIX file system

Under UNIX, each file has an ACL, but the ACL is strictly limited in structure. Each UNIX ACL has 3 fixed entries:

The rights associated with each entry are:

The MULTICS project originated as a joint project between MIT, GE and Bell Labs in the mid 1960's. In the late 1960's, Bell pulled out of the MULTICS project, largely because the technical staff of the computing group had concluded that MULTICS was getting too complicated. UNIX was born from this frustration, and the name UNIX is a pun on MULTICS -- suggesting a scaled down system designed to meet a scaled down set of goals.

The simple to implement ACL scheme of UNIX is an example of this. Unlike the MULTICS ACL, it is not general, but it meets the needs of most users of small computer systems. As a result, every UNIX ACL fits exactly in 9 bits of the I-node of the file it describes!

MULTICS was intended to meet the needs of a general information utility, and as such, it had to deal with the problems of large numbers of users, including users from competing organizations. The generality of the MULTICS access control list is well justified by this environment, and the success of PRIMOS in meeting the needs of compaines like Compuserve or The Source (modern examples of computer utilities) amply illustrates the appropriateness of the MULTICS design.

When UNIX systems are extended beyond single departments, the short ACL of UNIX becomes a problem. Distributed versions of UNIX such as the Appolo Domain operating system have been forced to add general ACL's back onto the UNIX file model in order to meet the demands of the large user base that such a system can serve.

Samba-3 Windows file and directory ACLs

POSIX Access Control Lists

It was argued by some that the ugo access control method did not permit sufficiently fine-grained control for the advanced UNIX administrator. This led to the development and implementation of the POSIX (portable operating system interoperability standards) Access Control List (ACL) capabilities. Unfortunately, there is no universally recognized standard for UNIX ACLs; the one implemented by Samba is Draft standard 1003.1e revision 17. It specifies an application programming interface (API). The various differing ways vendors have implemented the POSIX ACL standards means that Samba must maintain its own interface layer that maps POSIX ACL system calls to the correct one for the host UNIX operating system. The pressure for Samba to support Windows ACLs has put pressure on the standardization of ACLs.

POSIX ACLs provide a meta-file extension of the UNIX ugo permissions. While designed to be simple in concept and in use, ACLs can quickly lead to great complications. ACLs can be set on files and on directories. The only modes of access each Access Control Entry (ACE) in an ACL supports are: read, write and execute (rwx).

Like ugo permissions, a reset value "-" for an access mode means deny, and a set value means permit. ACLs add the capabilities of setting inheritance and mask controls on files and directories. Masks override group permissions.

There are two -- and only two -- conditions that would warrant the creation of a POSIX ACL on a file or a directory:

  1. To provide an access exception for a user who is not a member of the primary group, or to provide and access exception for a group other than the owner-group.
  2. To specifically exclude particular users who are a member of the owner-group from accessing the file or directory.

One of the big challenges in the use of POSIX ACLs is backup and recovery of a backup. The UNIX tools cpio and tar do not permit POSIX ACLs to be backed up. The pax, star and dump tools do permit this, but few UNIX administrators are aware of these tools. Some UNIX systems with ACL support do not have the tools, or administrators do not use them.

This means that UNIX POSIX ACLs can easily get lost in the event of a major system failure that necessitates recovery from a backup medium. The potential for loss of essential file system meta-data must be considered a liability of use.

A POSIX file ACL can be obtained by executing: getfacl a_file It has the following structure: 

# file: testfile <- the file name 
# owner: jeremy <-- the file owner 
# group: users  <-- the POSIX group owner 
user::rwx    <-- perms for the file owner (user) 
user:tpot:r-x  <-- perms for the additional user tpot 
group::r--    <-- perms for the file group owner (group)
group:engrs:r-- <-- perms for the additonal group engineers 
mask:rwx     <-- the mask that is ANDed with groups 
other::---    <-- perms applied to everyone else (other)

A directory ACL is obtained the same way and has the following structure: 

# file: testdir    <-- the directory name 
# owner: jeremy    <-- the directory owner 
# group: jeremy    <-- the POSIX group owner 
user::rwx       <-- directory perms for owner (user) 
group::rwx      <-- directory perms for owning group (group)
mask::rwx       <-- the mask that is ANDed with group perms 
other:r-x       <-- perms applied to everyone else (other) 
default:user::rwx   <-- inherited owner perms 
default:user:tpot:rwx <-- inherited extra perms for user tpot 
default:group::r-x  <-- inherited group perms 
default:mask:rwx   <-- inherited default mask
default:other:---   <-- inherited permissions for everyone (other)

Conditions That Impact Availability of ACLs in Samba/UNIX

Those who subscribe to the Samba mailing list will occasionally witness the consternation of administrators who are unable to create ACLs on the Samba host server from within the Windows Explorer. In all cases to date the problem has been a simple oveersight, either through lack of knowledge or through a simple little bit of information that was lost or forgotten during installation.

There are five parameters that must be met for Windows ACLs to function with Samba servers:

(a) Kernel ACL Support

Kernel support for POSIX ACLs is native to most relatively current generation UNIX systems. This is not the case for many Linux systems. The Linux-2.4.x series kernel does not have native ACLs support and requires the addition of the BestBits ACLs patch before this functionality can be obtained. Linux-2.6.x kernels do have native ACLs support, but it must be selected and built into the currently generated kernel for this to function. The Linux-2.6.x kernel configuration file entries to enable ACLs are as follows: 

CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_NFS_ACL=y
CONFIG_NFSD_ACL=y
CONFIG_NFS_ACL_SUPPORT=y

These settings were obtained from the /usr/src/linux/.config file, and they highlight the filesystem types for which ACLs can be either enabled or disabled.

(b) File System Type Must Have ACL Support

The Linux file systems ext2fs, ext3fs, reiserfs, jfs, xfs, and nfs can all be ACL enabled. Such enablement is determined as shown above by having this support in the Linux kernel. UNIX system users should verify that support for ACLs is available in the file system type that is being used.

(c) ACL Support Library Availability and Samba ACLs Enablement

Linux systems require the installation of particular libraries. For example the linux-2.6.x kernel requires, for ACLs support, the availability of the libacl.so and libattr.so libraries. The RPM packages that provide these libraries are respectively called: libacl-2.2.25 and libattr-2.4.16. When Samba is compiled on a Linux system the respective development libraries must also be installed prior to compilation. Support for ACLs in the Samba executables can be validated by executing: 

merlin: # > smbd -b | grep ACL
  HAVE_SYS_ACL_H
  HAVE_POSIX_ACLS

(d) File Systems Mounted with ACLs Support

UNIX/Linux systems that are ACL enabled may have file systems that have been mounted without ACL support. The best way to verify that mounted file systems have ACL support enabled can be done by executing: 

merlin: # > mount
/dev/mapper/system-ROOT on / type reiserfs (rw,acl,user_xattr)
/dev/hda1 on /boot type reiserfs (rw,acl,user_xattr)
/dev/sda5 on /data type reiserfs (rw,acl,user_xattr)
/dev/mapper/system-VAR on /var type reiserfs (rw,acl,user_xattr)
/dev/hdb1 on /data2 type reiserfs (rw,acl,user_xattr)
frodo:/home on /home type nfs (rw,soft,rsize=8192,wsize=8192,posix,acl,addr=192.168.1.1)
frodo:/home2 on /home2 type nfs (rw,soft,rsize=8192,wsize=8192,posix,acl,addr=192.168.1.1)
nfsd on /proc/fs/nfsd type nfsd (rw)

The above response from the mount query confirms that ACLs are supported on all mounted file systems, including NFS mounts.

When all the above conditions have been validated a simple test for ACL support can be conducted by executing the following: 

merlin: # > touch testfile
merlin: # > setfacl -m user:bin:rwx testfile
merlin: # > getfacl testfile# file: testfile
# owner: root
# group: root
user::rwx
user:bin:rwx <==== This ACE proves that ACLs are supported
group::rwx
mask::rwx
other::r--

All things being equal, so to speak, ACLs support should now be possible through Samba. The next consideration in the use of Windows NT/200X ACLs by Windows workstation client users requires an understanding of how they are mapped to POSIX ACLs.

Security The Digital UNIX ACLs are based on the POSIX P1003.6 Draft 13 standard. ...

Using ACLs (Access Control Lists)

One of the features of Solaris 2.5 (the new OS that was recently installed on CNS Unix computers) is file ACLs (Access Control Lists). These allow you to have much finer control over access to your files and directories.

In the past, you could give read, write and execute access only to yourself (user), your group (group) and everyone else in the world (other). Now, besides those, you can give access to any individual users that you choose.

Let's say you have a group of people, yourself (sheridan), ivanova and kosh, working on a class project and a file named star_fury you all need to access.

 

Use the setfacl command (set file acl) to set ACLs for that file:

setfacl -s u::rwx,g::---,o::---,m:rwx,u:ivanova:rwx,u:kosh:rwx star_fury

The first user, group and other (where those names are followed by double colons) refer to the standard Unix file permissions. Mask works like the standard Unix umask. The rest of the command adds access for your group.

You can use the keywords user, group, other and mask or the first letter of those words and permissions can be specified in symbolic (rwx) or octal (7=rwx, 6=rw-, etc.) mode, so the following are all equivalent:

setfacl -s u::rwx,g::rw-,o::r-- star_fury
setfacl -s u::7,g::6,o::4 star_fury
setfacl -s user::rwx,group::rw-,other::r-- star_fury
setfacl -s user::7,group::6,other::4 star_fury

To see which ACLs are set, use the getfacl (get file acl) command:

getfacl star_fury 

# file: star_fury
# owner: sheridan
# group: other
user::rwx
user:ivanova:rwx        #effective:rwx
user:kosh:rwx           #effective:rwx
group::---              #effective:---
mask:rwx
other:---

You can also set default ACLs for directories, which will allow ACLs to be automatically set for any files that are created in those directories. To do this, make the directory:

mkdir bab5

and then set the ACL for the standard Unix groups (user, group, other) and mask and then the defaults for those same groups (using the keyword default or d):

setfacl -s u::7,g::6,m:4,o::6,d:u::7,d:g::5,d:m:7,d:o::5 bab5

Then you can set the defaults for your group (be sure to use the -m option to modify the defaults since the -s option deletes any existing ACLs before it sets a new ACL!):

setfacl -m d:u:ivanova:rwx,d:u:kosh:rwx bab5

and then to see what you've done:

getfacl bab5 

# file: bab5
# owner:sheridan 
# group: 1012
user::rwx
group::rw-              #effective:r--
mask:r--
other::rw-
default:user::rwx
default:user:ivanova:rwx
default:user:kosh:rwx
default:group::r-x
default:mask:rwx
default:other::r-x

and any files created in the bab5 directory will have read write and access permissions for yourself, ivanova and kosh.

For more information, see man setfacl, man getfacl or look at an online description in Sun World Online at

http://www.sun.com:80/sunworldonline/swol-08-1996/swol-08-security.html 

Tutorials

HOWTO Use filesystem ACLs - Gentoo Linux Wiki

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

Last modified: August 15, 2009