ACL: Implementing NT-Style Permissions on Solaris
Introduction
With respect to a computer filesystem, an access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY).
This documentation is a quick reference. If you need more detailed explanations, please refer to the SUN ACL documentation on their website.
Enabling ACL
By default, on ZFS, ACLs are automatically enabled. However, there are different modes to choose from based on your usage requirements.
You can see the current default configuration with the “zfs get all” command:
|
|
Inheritance mode
aclinherit - This property determines the behavior of ACL inheritance. Values include the following:
- discard - For new objects, no ACL entries are inherited when a file or directory is created. The ACL on the file or directory is equal to the permission mode of the file or directory.
- noallow - For new objects, only inheritable ACL entries that have an access type of deny are inherited.
- restricted - For new objects, the write_owner and write_acl permissions are removed when an ACL entry is inherited.
- passthrough - When property value is set to passthrough, files are created with a mode determined by the inheritable ACEs. If no inheritable ACEs exist that affect the mode, then the mode is set in accordance to the requested mode from the application.
- passthrough-x - Has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if execute permission is set in the file creation mode and in an inheritable ACE that affects the mode.
The default mode for the aclinherit is restricted.
Rights on creation mode
aclmode - This property modifies ACL behavior when a file is initially created or whenever a file or directory’s mode is modified by the chmod command. Values include the following:
- discard - All ACL entries are removed except for the entries needed to define the mode of the file or directory.
- groupmask - User or group ACL permissions are reduced so that they are no greater than the group permission bits, unless it is a user entry that has the same UID as the owner of the file or directory. Then, the ACL permissions are reduced so that they are no greater than owner permission bits.
- passthrough - During a chmod operation, ACEs other than owner@, group@, or everyone@ are not modified in any way. ACEs with owner@, group@, or everyone@ are disabled to set the file mode as requested by the chmod operation.
The default mode for the aclmode property is groupmask.
Changing mode
You can change mode with commands like these:
|
|
Simply choose the one you prefer for your needs.
ACL Properties
Example
You can use the ls command with special arguments to see current ACL rights. Choose the format that’s easier for you to read.
- ls -dv:
|
|
- ls -dV:
|
|
Complete properties list
ACL Entry Types
ACL Entry Type | Global | Description |
---|---|---|
owner@ | yes | Specifies the access granted to the owner of the object. |
group@ | yes | Specifies the access granted to the owning group of the object. |
everyone@ | yes | Specifies the access granted to any user or group that does not match any other ACL entry. With a user name, specifies the access granted to an additional user of the object. |
user | no | Must include the ACL-entry-ID, which contains a username or userID. If the value is not a valid numeric UID or username, the ACL entry type is invalid. |
group | no | Must include the ACL-entry-ID, which contains a groupname or groupID. If the value is not a valid numeric GID or groupname, the ACL entry type is invalid. |
ACL Access Privileges
Access Privilege | Compact Access Privilege | Description |
---|---|---|
add_file | w | Permission to add a new file to a directory. |
add_subdirectory | p | On a directory, permission to create a subdirectory. |
append_data | p | Placeholder. Not currently implemented. |
delete | d | Permission to delete a file. |
delete_child | D | Permission to delete a file or directory within a directory. |
execute | x | Permission to execute a file or search the contents of a directory. |
list_directory | r | Permission to list the contents of a directory. |
read_acl | c | Permission to read the ACL (ls). |
read_attributes | a | Permission to read basic attributes (non-ACLs) of a file. |
read_data | r | Permission to read the contents of the file. |
read_xattr | R | Permission to read the extended attributes of a file or perform a lookup in the file’s extended attributes directory. |
synchronize | s | Placeholder. Not currently implemented. |
write_xattr | W | Permission to create extended attributes or write to the extended attributes directory. |
write_data | w | Permission to modify or replace the contents of a file. |
write_attributes | A | Permission to change the times associated with a file or directory to an arbitrary value. |
write_acl | C | Permission to write the ACL or the ability to modify the ACL by using the chmod command. |
write_owner | o | Permission to change the file’s owner or group. |
ACL Inheritance Flags
Inheritance Flag | Compact Inheritance Flag | Description |
---|---|---|
file_inherit | f | Only inherit the ACL from the parent directory to the directory’s files. |
dir_inherit | d | Only inherit the ACL from the parent directory to the directory’s subdirectories. |
inherit_only | i | Inherit the ACL from the parent directory but applies only to newly created files or subdirectories and not the directory itself. |
no_propagate | n | Only inherit the ACL from the parent directory to the first-level contents of the directory, not the second-level or subsequent contents. |
- | N/A | No permission granted. |
Rights Management
Adding rights
To add rights to a folder or file using ACLs:
|
|
- A+: A means use ACL and + means add
- user:myuser: add username (here myuser)
- read_data/execute:allow: allowing these rights
- directory: the directory to change
You can verify the user has been added with their rights:
|
|
For a faster alternative, you can use:
|
|
Deleting rights
To remove the previously added user (ID 0):
|
|
- A0-: A for ACL, 0 for ID 0, and - for deleting
Verify the user has been removed:
|
|
You can delete another right by changing the number (e.g., A4-).
To completely remove all ACLs:
|
|
Replacement
To replace an existing right with another:
|
|
This changes the specified ACL entry (ID 0) to deny execute permission for myuser.
For a faster alternative:
|
|
To replace all rights with only one user permission:
|
|
This removes all other rights, including owner permissions:
|
|
You can also reset rights using standard chmod:
|
|
This restores the standard permission set with ACLs.
Inheritance
Remember that file and directory inheritance depends on the ACL mode you’ve chosen. To add inheritance:
|
|
This works only for files. Use dir_inherit for directories.
References
Last updated 10 Feb 2010, 13:13 +0200.