22.2.06

 

Solaris ACLs

I can never ever remember how to set ACLs. So this is the way to go...

To narrow it down, I have three users apache, sysaudit, syslogng.

sysaudit and syslogng should be allowed to read and write into the directory (incl. sub-directories), apache should be only allowed to read.

# ls -la
.
.
.
drwxr-x--- 5 root root 512 Feb 17 16:18 auditlog
.
.
.

# getfacl auditlog
# file: auditlog
# owner: root
# group: root
user::rwx
group::r-x #effective:r-x
mask:r-x
other:---

The acl should look like this in the end:


# getfacl auditlog
# file: auditlog
# owner: root
# group: root
user::rwx
user:apache:r-x #effective:r-x
user:syslogng:rwx #effective:rwx
user:sysaudit:rwx #effective:rwx
group::r-x #effective:r-x
mask:rwx
other:---
default:user::rwx
default:user:apache:r-x
default:user:syslogng:rwx
default:user:sysaudit:rwx
default:group::---
default:mask:rwx
default:other:---

Notice:
-default means, that all files created in this directory will inherit the same permissions.
-mask is the maximum permission allowed.
-#effective is calculated by using the AND function between the permission and the mask. As it says, it is the effective permission seen by the user.

I find it easier to edit the ACL using a textfile (once you have a template), than write complex setfacl commands (ugly syntax).

This acl-file can then be applied using setfacl [-r] -f acl_file file.

Another easy way to do this stuff is to use /usr/dt/bin/dtfile. Very usefull to apply the ACLs recursivly to subdirectories.

Technorati Tags:

Comments: Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?