ACL : Implémentation des droits de type NT sur Solaris
1 Introduction
With respect to a computer filesystem, an access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY).
This documentation is a quick documentation, if you need more explainations, please refer to the SUN ACL documentation on website.
2 Enabling ACL
By default, on ZFS, it's automatically enabled. Anyway, you have some diffrents mode and you need to choose one of them for your usage.
You can see the current default configuration with "zfs get all" command :
zfs |
$ zfs get all zfs_volume NAME PROPERTY VALUE SOURCE zfs_volume type filesystem - ... zfs_volume aclmode groupmask default zfs_volume aclinherit restricted default ... |
2.1 Inheritance mode
aclinherit - This property determines the behavior of ACL inheritance. Values include the following :
- discard - For new objects, no ACL entries are inherited when a file or directory is
- created. The ACL on the file or directory is equal to the permission mode of the file or directory.
- noallow - For new objects, only inheritable ACL entries that have an access type of deny are inherited.
- restricted - For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
- passthrough - When property value is set to passthrough, files are created with a mode determined by the inheritable ACEs. If no inheritable ACEs exist that affect the mode, then the mode is set in accordance to the requested mode from the application.
- passthrough-x - Has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The default mode for the aclinherit is restricted.
2.2 Rights on creation mode
aclmode - This property modifies ACL behavior when a file is initially created or whenever a file or directory's mode is modified by the chmod command. Values include the following:
- discard - All ACL entries are removed except for the entries needed to define the mode of the file or directory.
- groupmask - User or group ACL permissions are reduced so that they are no greater than the group permission bits, unless it is a user entry that has the same UID as the owner of the file or directory. Then, the ACL permissions are reduced so that they are no greater than owner permission bits.
- passthrough - During a chmod operation, ACEs other than owner@, group@, or everyone@ are not modified in any way. ACEs with owner@, group@, or everyone@ are disabled to set the file mode as requested by the chmod operation.
The default mode for the aclmode property is groupmask.
2.3 Changing mode
You can change mode with this kind of commands :
zfs |
zfs set aclmode=passthrough zfs_volume zfs set aclinherit=passthrough zfs_volume |
Simply choose the one you would like.
3 ACL Properties
3.1 Example
You should normally have a pretty known in ls command. When you would like to see current ACL rights, use those arguments (choose the simpler for you).
- ls -dv :
- ls -dV
3.2 Complete properties list
3.2.1 ACL Entry Types
ACL Entry Type | Global | Description |
---|---|---|
owner@ | yes | Specifies the access granted to the owner of the object. |
group@ | yes | Specifies the access granted to the owning group of the object. |
everyone@ | yes | Specifies the access granted to any user or group that does not match any other ACL entry. With a user name, specifies the access granted to an additional user of the object. |
user | no | Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. With a group name, specifies the access granted to an additional group of the object. |
group | no | Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid. |
3.2.2 ACL Access Privileges
Access Privilege | Compact Access Privilege | Description |
---|---|---|
add_file | w | Permission to add a new file to a directory. |
add_subdirectory | p | On a directory, permission to create a subdirectory. |
append_data | p | Placeholder. Not currently implemented. |
delete | d | Permission to delete a file. |
delete_child | D | Permission to delete a file or directory within a directory. |
execute | x | Permission to execute a file or search the contents of a directory. |
list_directory | r | Permission to list the contents of a directory. |
read_acl | c | Permission to read the ACL (ls). |
read_attributes | a | Permission to read basic attributes (non-ACLs) of a file. Think of basic attributes as the stat level attributes. Allowing this access mask bit means the entity can execute ls(1) and stat(2). |
read_data | r | Permission to read the contents of the file. |
read_xattr | R | Permission to read the extended attributes of a file or perform a lookup in the file's extended attributes directory. |
synchronize | s | Placeholder. Not currently implemented. |
write_xattr | W | Permission to create extended attributes or write to the extended attributes directory. Granting this permission to a user means that the user can create an extended attribute directory for a file. The attribute file's permissions control the user's access to the attribute. |
write_data | w | Permission to modify or replace the contents of a file. |
write_attributes | A | Permission to change the times associated with a file or directory to an arbitrary value. |
write_acl | C | Permission to write the ACL or the ability to modify the ACL by using the chmod command. |
write_owner | o | Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file. Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required. |
3.2.3 ACL Inheritance Flags
Inheritance Flag | Compact Inheritance Flag | Description |
---|---|---|
file_inherit | f | Only inherit the ACL from the parent directory to the directory's files. |
dir_inherit | d | Only inherit the ACL from the parent directory to the directory's subdirectories. |
inherit_only | i | Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit. |
no_propagate | n | Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. This flag requires the file_inherit flag, the dir_inherit flag, or both, to indicate what to inherit. |
- | N/A | No permission granted. |
4 Rights Managements
4.1 Adding rights
If I want to add rights on a folder or file, I need to chmod it :
chmod |
$ chmod A+user:myuser:read_data/execute:allow directory |
- A+ : A means use ACL and + means add
- user:myuser : add username (here myuser)
- read_data/execute:allow : allowing thos rights read_data/execute
- directory : the directory I want to change
As we can see, the user is now here and we can see his rights :
For a faster way, you can do :
chmod |
$ chmod A+user:myuser:rx:allow directory |
4.2 Deleting rights
Now if I wan to delete my previous add, I need to delete the last number (id 0) :
chmod |
$ chmod A0- directory |
- A0- : A for ACL, 0 for ID 0 and - for deleting
As we can see, the user is now off :
We can choose to delete another rights by simply changing the number (ex. A4-).
If we want to remove completly the ACL :
chmod |
$ chmod A- directory |
4.3 Replacement
Now imagine, I have my user back on this directory and I you want to replace an existing right by another :
chmod |
$ chmod A0=user:myuser:execute:deny directory |
I indique the id of the line and ask to deny execute.
For a faster way, you can do :
chmod |
$ chmod A0=user:myuser:x:deny directory |
WARNING : DO NOT FORGET TO SPECIFY ID OR IT WILL REPLACE ALL YOUR CURRENT RIGHTS BY THIS ONLY ONE
Now if I want to replace everythings by my user only :
chmod |
chmod A=user:myuser:read_data:allow directory |
My user is the only one and the owner doesn't have now any rights :
ls |
# ls -v directory ----------+ 1 root root 2455 Dec 25 12:08 directory 0:user:myuser:read_data:allow |
You can also reset rights by chmoding by the normal way :
chmod |
chmod 755 directory |
Now we could see the rights coming again :
4.4 Inheritance
Remember the inheritance of the files and directory depends of the mode you've chosen for your ACL. To add inherit, use this :
chmod |
$ chmod A+user:myuser:read_data/execute:file_inherit:allow directory |
This is only working for files, you can use dir_inherit as well for directories.