ACL : Implémentation des droits de type NT sur Solaris

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

With respect to a computer filesystem, an access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY).

This documentation is a quick documentation, if you need more explainations, please refer to the SUN ACL documentation on website.

2 Enabling ACL

By default, on ZFS, it's automatically enabled. Anyway, you have some diffrents mode and you need to choose one of them for your usage.

You can see the current default configuration with "zfs get all" command :

Command zfs
$ zfs get all zfs_volume
NAME                     PROPERTY         VALUE                         SOURCE
zfs_volume  type             filesystem                    -   
...
zfs_volume  aclmode          groupmask                     default
zfs_volume  aclinherit       restricted                    default
...

2.1 Inheritance mode

aclinherit - This property determines the behavior of ACL inheritance. Values include the following :

  • discard - For new objects, no ACL entries are inherited when a file or directory is
  • created. The ACL on the file or directory is equal to the permission mode of the file or directory.
  • noallow - For new objects, only inheritable ACL entries that have an access type of deny are inherited.
  • restricted - For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
  • passthrough - When property value is set to passthrough, files are created with a mode determined by the inheritable ACEs. If no inheritable ACEs exist that affect the mode, then the mode is set in accordance to the requested mode from the application.
  • passthrough-x - Has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.

The default mode for the aclinherit is restricted.

2.2 Rights on creation mode

aclmode - This property modifies ACL behavior when a file is initially created or whenever a file or directory's mode is modified by the chmod command. Values include the following:

  • discard - All ACL entries are removed except for the entries needed to define the mode of the file or directory.
  • groupmask - User or group ACL permissions are reduced so that they are no greater than the group permission bits, unless it is a user entry that has the same UID as the owner of the file or directory. Then, the ACL permissions are reduced so that they are no greater than owner permission bits.
  • passthrough - During a chmod operation, ACEs other than owner@, group@, or everyone@ are not modified in any way. ACEs with owner@, group@, or everyone@ are disabled to set the file mode as requested by the chmod operation.

The default mode for the aclmode property is groupmask.

2.3 Changing mode

You can change mode with this kind of commands :

Command zfs
zfs set aclmode=passthrough zfs_volume
zfs set aclinherit=passthrough zfs_volume

Simply choose the one you would like.

3 ACL Properties

3.1 Example

You should normally have a pretty known in ls command. When you would like to see current ACL rights, use those arguments (choose the simpler for you).

  • ls -dv :
Command ls
$ ls -dv zfs_volume
drwxrwxr-x  11 myuser   mygroup        11 oct  14 12:06 zfs_volume
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@::deny
     3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/execute:allow
     4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
         /write_attributes/write_acl/write_owner:deny
     5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

  • ls -dV
Command ls
$ ls -dV zfs_volume
drwxrwxr-x  11 myuser   mygroup        11 oct  14 12:06 zfs_volume
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:------:deny
            group@:rwxp----------:------:allow
         everyone@:-w-p---A-W-Co-:------:deny
         everyone@:r-x---a-R-c--s:------:allow

3.2 Complete properties list

3.2.1 ACL Entry Types

ACL Entry Type Global Description
owner@ yes Specifies the access granted to the owner of the object.
group@ yes Specifies the access granted to the owning group of the object.
everyone@ yes Specifies the access granted to any user or group that does not match any other ACL entry. With a user name, specifies the access granted to an additional user of the object.
user no Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. With a group name, specifies the access granted to an additional group of the object.
group no Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid.

3.2.2 ACL Access Privileges

Access Privilege Compact Access Privilege Description
add_file w Permission to add a new file to a directory.
add_subdirectory p On a directory, permission to create a subdirectory.
append_data p Placeholder. Not currently implemented.
delete d Permission to delete a file.
delete_child D Permission to delete a file or directory within a directory.
execute x Permission to execute a file or search the contents of a directory.
list_directory r Permission to list the contents of a directory.
read_acl c Permission to read the ACL (ls).
read_attributes a Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2).
read_data r Permission to read the contents of the file.
read_xattr R Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory.
synchronize s Placeholder. Not currently implemented.
write_xattr W Permission to create extended attributes or write to the extended attributes directory. Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute.
write_data w Permission to modify or replace the contents of a file.
write_attributes A Permission to change the times associated with a file or directory to an arbitrary value.
write_acl C Permission to write the ACL or the ability to modify the ACL by using the chmod command.
write_owner o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file. Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.

3.2.3 ACL Inheritance Flags

Inheritance Flag Compact Inheritance Flag Description
file_inherit f Only inherit the ACL from the parent directory to the directory's files.
dir_inherit d Only inherit the ACL from the parent directory to the directory's subdirectories.
inherit_only i Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.
no_propagate n Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit.
- N/A No permission granted.

4 Rights Managements

4.1 Adding rights

If I want to add rights on a folder or file, I need to chmod it :

Command chmod
$ chmod A+user:myuser:read_data/execute:allow directory

  • A+ : A means use ACL and + means add
  • user:myuser : add username (here myuser)
  • read_data/execute:allow : allowing thos rights read_data/execute
  • directory : the directory I want to change

As we can see, the user is now here and we can see his rights :

Command ls
$ ls -dv test.dir
drwxr-xr-x+ 2 root      root           2 Aug 31 12:02 directory
    0:user:myuser:list_directory/read_data/execute:allow
    1:owner@::deny
    2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
        /append_data/write_xattr/execute/write_attributes/write_acl
        /write_owner:allow
    3:group@:add_file/write_data/add_subdirectory/append_data:deny
    4:group@:list_directory/read_data/execute:allow
    5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
        /write_attributes/write_acl/write_owner:deny
    6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
        /read_acl/synchronize:allow

For a faster way, you can do :

Command chmod
$ chmod A+user:myuser:rx:allow directory

4.2 Deleting rights

Now if I wan to delete my previous add, I need to delete the last number (id 0) :

Command chmod
$ chmod A0- directory

  • A0- : A for ACL, 0 for ID 0 and - for deleting

As we can see, the user is now off :

Command ls
$ ls -dv test.dir
drwxr-xr-x+ 2 root      root           2 Aug 31 12:02 directory
    0:owner@::deny
    1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
        /append_data/write_xattr/execute/write_attributes/write_acl
        /write_owner:allow
    2:group@:add_file/write_data/add_subdirectory/append_data:deny
    3:group@:list_directory/read_data/execute:allow
    4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
        /write_attributes/write_acl/write_owner:deny
    5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
        /read_acl/synchronize:allow

We can choose to delete another rights by simply changing the number (ex. A4-).

If we want to remove completly the ACL :

Command chmod
$ chmod A- directory

4.3 Replacement

Now imagine, I have my user back on this directory and I you want to replace an existing right by another :

Command chmod
$ chmod A0=user:myuser:execute:deny directory

I indique the id of the line and ask to deny execute.

For a faster way, you can do :

Command chmod
$ chmod A0=user:myuser:x:deny directory

WARNING : DO NOT FORGET TO SPECIFY ID OR IT WILL REPLACE ALL YOUR CURRENT RIGHTS BY THIS ONLY ONE

Now if I want to replace everythings by my user only :

Command chmod
chmod A=user:myuser:read_data:allow directory

My user is the only one and the owner doesn't have now any rights :

Command ls
# ls -v directory
----------+ 1 root      root        2455 Dec 25 12:08 directory
    0:user:myuser:read_data:allow

You can also reset rights by chmoding by the normal way :

Command chmod
chmod 755 directory

Now we could see the rights coming again :

Command ls
$ ls -dv test.dir
drwxr-xr-x+ 2 root      root           2 Aug 31 12:02 directory
    0:user:myuser:list_directory/read_data/execute:allow
    1:owner@::deny
    2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
        /append_data/write_xattr/execute/write_attributes/write_acl
        /write_owner:allow
    3:group@:add_file/write_data/add_subdirectory/append_data:deny
    4:group@:list_directory/read_data/execute:allow
    5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
        /write_attributes/write_acl/write_owner:deny
    6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
        /read_acl/synchronize:allow

4.4 Inheritance

Remember the inheritance of the files and directory depends of the mode you've chosen for your ACL. To add inherit, use this :

Command chmod
$ chmod A+user:myuser:read_data/execute:file_inherit:allow directory

This is only working for files, you can use dir_inherit as well for directories.

5 References

http://docs.sun.com/app/docs/doc/819-5461?l=en