Using Access Control Lists to Protect Files
Traditional UNIX file protection provides read, write, and execute permissions for the three user classes: file owner, file group, and other. An access control list (ACL) provides better file security by enabling you to do the following:
-
Define file permissions for the file owner, the group, other, specific users and groups
-
Define default permissions for each of the preceding categories
For example, if you want everyone in a group to be able to read a file, you can simply grant group read permissions on that file. Now, assume that you want only one person in the group to be able to write to that file. Standard UNIX does not provide that level of file security. However, an ACL provides this level of file security.
ACL entries define an ACL on a file. The entries are set through the setfacl command. ACL entries consist of the following fields separated by colons:
entry-type:[uid|gid]:perms |
- entry-type
-
Is the type of ACL entry on which to set file permissions. For example, entry-type can be user (the owner of a file) or mask (the ACL mask). For a listing of ACL entries, see Table 7–7 and Table 7–8.
- uid
-
Is the user name or user ID (UID).
- gid
-
Is the group name or group ID (GID).
- perms
-
Represents the permissions that are set on entry-type. perms can be indicated by the symbolic characters rwx or an octal number. These are the same numbers that are used with the chmod command.
In the following example, an ACL entry sets read and write permissions for the user stacey.
user:stacey:rw- |
Caution – UFS file system attributes such as ACLs are supported in UFS file systems only. Thus, if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.
ACL Entries for Files
The following table lists the valid ACL entries that you might use when setting ACLs on files. The first three ACL entries provide the basic UNIX file protection.
Table 7–7 ACL Entries for Files|
ACL Entry |
Description |
|---|---|
|
u[ser]::perms |
File owner permissions. |
|
g[roup]::perms |
File group permissions. |
|
o[ther]:perms |
Permissions for users other than the file owner or members of the file group. |
|
m[ask]:perms |
The ACL mask. The mask entry indicates the maximum permissions that are allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they might have write and execute permissions. |
|
u[ser]:uid:perms |
Permissions for a specific user. For uid, you can specify either a user name or a numeric UID. |
|
g[roup]:gid:perms |
Permissions for a specific group. For gid, you can specify either a group name or a numeric GID. |
ACL Entries for Directories
In addition to the ACL entries that are described in Table 7–7, you can set default ACL entries on a directory. Files or directories created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 7–8 lists the default ACL entries for directories.
When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the file owner, file group, others, and the ACL mask. These entries are required. They are the first four default ACL entries in the following table.
Table 7–8 Default ACL Entries for Directories|
Default ACL Entry |
Description |
|---|---|
|
d[efault]:u[ser]::perms |
Default file owner permissions. |
|
d[efault]:g[roup]::perms |
Default file group permissions. |
|
d[efault]:o[ther]:perms |
Default permissions for users other than the file owner or members of the file group. |
|
d[efault]:m[ask]:perms |
Default ACL mask. |
|
d[efault]:u[ser]:uid:perms |
Default permissions for a specific user. For uid, you can specify either a user name or a numeric UID. |
|
d[efault]:g[roup]:gid:perms |
Default permissions for a specific group. For gid, you can specify either a group name or a numeric GID. |
Commands for Administering ACLs
The following commands administer ACLs on files or directories.
- setfacl command
-
Sets, adds, modifies, and deletes ACL entries. For more information, see the setfacl(1) man page.
- getfacl command
-
Displays ACL entries. For more information, see the getfacl(1) man page.
- © 2010, Oracle Corporation and/or its affiliates