Skip Navigation Links | |
Exit Print View | |
Sun QFS File System 5.3 Configuration and Administration Guide Sun QFS and Sun Storage Archive Manager 5.3 Information Library |
2. About the Master Configuration File
4. Configuring the File System
5. Configuring a Shared File System
6. Administering File System Quotas
7. Advanced File System Topics
Getting Started With the Oracle Solaris SMB Service
Using ACLs to Protect Sun QFS and SAM-QFS Files
Mapping User and Group Identities in SAM-QFS
Creating and Converting File Systems to Support NFSv4 ACLs
9. Configuring WORM-FS File Systems
11. Using QFS File Systems with SANergy (SAN-QFS)
Previous versions of Oracle Solaris supported an ACL implementation that was primarily based on the POSIX-draft ACL specification. The POSIX-draft based ACLs are used to protect UFS files and are translated by versions of NFS prior to NFSv4.
With the introduction of NFSv4, a new Oracle Solaris ACL model fully supports the interoperability that NFSv4 offers between UNIX and non-UNIX clients. The new ACL implementation, as defined in the NFSv4 specification, provides much richer semantics that are based on NT-style ACLs.
The main differences of the new ACL model are as follows:
Based on the NFSv4 specification and similar to NT-style ACLs.
Provide much more granular set of access privileges. For more information, see Table 8-3.
Set and displayed with the chmod and ls commands rather than the setfacl and getfacl commands.
Provide richer inheritance semantics for designating how access privileges are applied. For more information, see ACL Inheritance.
Both ACL models provide more fine-grained access control than is available with the standard file permissions. Much like POSIX-draft ACLs, the new ACLs are composed of multiple Access Control Entries (ACEs).
POSIX-draft style ACLs use a single entry to define what permissions are allowed and what permissions are denied. The new ACL model has two types of ACEs that affect access checking: ALLOW and DENY. As such, you cannot infer from any single ACE that defines a set of permissions whether the permissions not defined in that ACE are allowed or denied.
For more information about the new Oracle Solaris ACL model, see New Solaris ACL Model in Oracle Solaris Administration: ZFS File Systems.
Currently, SAM-QFS does not support ephemeral IDs or SIDs. Therefore, all Windows identities must be explicitly defined using the idmap service or must be provided by the active directory service. Identities encountered by the SMB server that do not have an explicit mapping defined will be defaulted automatically to the nobody identity.
For more information about identity mapping administration, see Chapter 2, Identity Mapping Administration (Tasks), in Oracle Solaris Administration: SMB and Windows Interoperability.
POSIX ACLs are the default ACLs present in the SAM-QFS file systems. In order to support the SMB service, SAM-QFS file systems also have to support NFSv4 ACLs.
Use the sammkfs -A command to create a file system with NFSv4 ACLs. For example, to create a file system, sqfs1, with NFSv4 ACLs:
# sammkfs -A -S sqfs1
For more information about the -A option in the sammkfs command, see sammkfs(1M) in Sun QFS and Sun Storage Archive Manager 5.3 Reference Manual.
Use the samfsck -A command to convert existing POSIX ACLs to NFSv4 ACLs. For example, to convert from POSIX ACLS to NFSv4 ACLs on an existing file system, sqfs2:
# samfsck -F -A sqfs2
Note - The conversion from POSIX ACLS to NFSv4 cannot be reversed. The conversion applies only to file systems versions V2 or V2A.
For more information about the -A option in the samfsck command, see samfsck(1M) in Sun QFS and Sun Storage Archive Manager 5.3 Reference Manual.
Two basic ACL formats are provided as follows:
Syntax for Setting Trivial ACLs
chmod [options] A[index]{+|=}owner@ |group@ |everyone@:access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-owner@, group@, everyone@:access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
Syntax for Setting Non-Trivial ACLs
chmod [options] A[index]{+|=}user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file
chmod [options] A-user|group:name:access-permissions/...[:inheritance-flags]:deny | allow file ...
chmod [options] A[index]- file
Identifies the ACL-entry-type for trivial ACL syntax. For a description of ACL-entry-types, see Table 8-2.
Identifies the ACL-entry-type for explicit ACL syntax. The user and group ACL-entry-type must also contain the ACL-entry-ID, username or groupname. For a description of ACL-entry-types, see Table 8-2.
Identifies the access permissions that are granted or denied. For a description of ACL access privileges, see Table 8-3.
Identifies an optional list of ACL inheritance flags. For a description of the ACL inheritance flags, see Table 8-4.
Identifies whether the access permissions are granted or denied.
In the following example, the ACL-entry-ID value is not relevant.
group@:write_data/append_data/execute:deny
The following example includes an ACL-entry-ID because a specific user (ACL-entry-type) is included in the ACL.
0:user:gozer:list_directory/read_data/execute:allow
When an ACL entry is displayed, it looks similar to the following:
2:group@:write_data/append_data/execute:deny
The 2 or the index-ID designation in this example identifies the ACL entry in the larger ACL, which might have multiple entries for owner, specific UIDs, group, and everyone. You can specify the index-ID with the chmod command to identify which part of the ACL you want to modify. For example, you can identify index ID 3 as A3 to the chmod command, similar to the following:
chmod A3=user:venkman:read_acl:allow filename
ACL entry types, which are the ACL representations of owner, group, and other, are described in the following table.
Table 8-2 ACL Entry Type
|
ACL access privileges are described in the following table.
Table 8-3 ACL Access Privileges
|
Example 8-3 Modifying Trivial ACLs on SAM-QFS Files
In the following example, a trivial ACL exists on file.1:
# ls -v file.1 -rw-r--r-- 1 root root 206674 Jun 14 10:54 file.1 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow
The purpose of using ACL inheritance is so that a newly created file or directory can inherit the appropriate ACLs without disregarding the existing permission bits on the parent directory.
By default, ACLs are not propagated. If you set a non-trivial ACL on a directory, it is not inherited to any subsequent directory. You must specify the inheritance of an ACL on a file or directory.
The optional inheritance flags are described in the following table.
Table 8-4 ACL Inheritance Flags
|
By default, ACLs are not propagated through a directory structure.
Example 8-4 Granting Default ACL Inheritance
In the following example, a non-trivial ACE of read_data/write_data/execute is applied for user gozer on test.dir.
# chmod A+user:gozer:read_data/write_data/execute:allow test.dir # ls -dv test.dir drwxr-xr-x+ 2 root root 2 Jun 15 10:40 test.dir 0:user:gozer:list_directory/read_data/add_file/write_data/execute:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/read_attributes /write_attributes/read_acl/write_acl/write_owner/synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
If a test.dir subdirectory is created, the ACE for user gozer is not propagated. User gozer would only have access to sub.dir if the permissions on sub.dir granted him access as the file owner, group member, or everyone@.
# mkdir test.dir/sub.dir # ls -dv test.dir/sub.dir drwxr-xr-x 2 root root 2 Jun 15 10:41 test.dir/sub.dir 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/read_attributes /write_attributes/read_acl/write_acl/write_owner/synchronize:allow 1:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
Example 8-5 Granting ACL Inheritance on Files Within Directories
In the following example, certain permissions are applied to all the newly created files in a directory but the permissions do not apply to the directory itself. The file_inherit flag indicates that the permissions are for the files, and the inherit_only flag indicates that the permissions are for inheritance and will not apply to the directory itself.
# chmod A+user:bob:read_data/execute:file_inherit/inherit_only:deny mydir # ls -vd mydir dr-xr-xr-x+ 2 root root 4096 Jul 5 19:10 mydir 0:user:bob:list_directory/read_data/execute:file_inherit/inherit_only:deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/read_xattr/write_xattr/execute/delete_child /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow 3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:allow
If a myfile file is created in the mydir directory, the myfile file will inherit all the access permissions automatically.
# cd mydir # touch myfile # ls -v myfile -r--r--r--+ 1 root root 0 Jul 5 19:11 myfile 0:user:bob:read_data/execute:file_inherit/inherit_only:deny 1:owner@:read_data/write_data/append_data/read_xattr/write_xattr /read_attributes/write_attributes/read_acl/write_acl/write_owner /synchronize:allow 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow 3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow