1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
Using UNIX Permissions to Protect Files
Commands for Viewing and Securing Files
Special File Permissions (setuid, setgid and Sticky Bit)
Using Access Control Lists to Protect UFS Files
ACL Entries for UFS Directories
Commands for Administering UFS ACLs
Preventing Executable Files From Compromising Security
Protecting Files With UNIX Permissions (Task Map)
How to Display File Information
How to Change the Owner of a File
How to Change Group Ownership of a File
How to Change File Permissions in Symbolic Mode
How to Change File Permissions in Absolute Mode
How to Change Special File Permissions in Absolute Mode
Protecting UFS Files With ACLs (Task Map)
How to Check if a File Has an ACL
How to Add ACL Entries to a File
How to Change ACL Entries on a File
Protecting Against Programs With Security Risk (Task Map)
How to Find Files With Special File Permissions
How to Disable Programs From Using Executable Stacks
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Solaris Auditing (Tasks)
The following task map points to procedures that list the ACLs on a UFS file, change the ACLs, and copy the ACLs to another file.
|
% ls -l filename
where filename specifies the file or directory.
In the output, a plus sign (+) to the right of the mode field indicates that the file has an ACL.
Example 6-6 Checking if a File Has an ACL
In the following example, the ch1.sgm file has an ACL. The ACL is indicated by the plus sign (+) to the right of the mode field.
% ls -l ch1.sgm -rwxr-----+ 1 stacey techpubs 167 Nov 11 11:13 ch1.sgm
% setfacl -s user::perms,group::perms,other:perms,mask:perms,acl-entry-list filename ...
Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the user::, group::, and other:: entries.
Specifies the file owner permissions.
Specifies the group ownership permissions.
Specifies the permissions for users other than the file owner or members of the group.
Specifies the permissions for the ACL mask. The mask indicates the maximum permissions that are allowed for users (other than the owner) and for groups.
Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 6-7 and Table 6-8 show the valid ACL entries.
Specifies one or more files or directories on which to set the ACL. Multiple filenames are separated by spaces.
Caution - If an ACL already exists on the file, the -s option replaces the entire ACL with the new ACL. |
For more information, see the setfacl(1) man page.
% getfacl filename
For more information, see How to Check if a File Has an ACL.
Example 6-7 Setting an ACL on a File
In the following example, the file owner permissions are set to read and write, file group permissions are set to read only, and other permissions are set to none on the ch1.sgm file. In addition, the user anusha is given read and write permissions on the file. The ACL mask permissions are set to read and write, which means that no user or group can have execute permissions.
% setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:anusha:rw- ch1.sgm % ls -l total 124 -rw-r-----+ 1 stacey techpubs 34816 Nov 11 14:16 ch1.sgm -rw-r--r-- 1 stacey techpubs 20167 Nov 11 14:16 ch2.sgm -rw-r--r-- 1 stacey techpubs 8192 Nov 11 14:16 notes % getfacl ch1.sgm # file: ch1.sgm # owner: stacey # group: techpubs user::rw- user:anusha:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:---
In the following example, the file owner permissions are set to read, write, and execute, file group permissions are set to read only, other permissions are set to none. In addition, the ACL mask permissions are set to read on the ch2.sgm file. Finally, the user anusha is given read and write permissions. However, due to the ACL mask, the permissions for anusha are read only.
% setfacl -s u::7,g::4,o:0,m:4,u:anusha:7 ch2.sgm % getfacl ch2.sgm # file: ch2.sgm # owner: stacey # group: techpubs user::rwx user:anusha:rwx #effective:r-- group::r-- #effective:r-- mask:r-- other:---
% getfacl filename1 | setfacl -f - filename2
Specifies the file from which to copy the ACL.
Specifies the file on which to set the copied ACL.
Example 6-8 Copying an ACL
In the following example, the ACL on ch2.sgm is copied to ch3.sgm.
% getfacl ch2.sgm | setfacl -f - ch3.sgm
% setfacl -m acl-entry-list filename ...
Modifies the existing ACL entry.
Specifies the list of one or more ACL entries to modify on the file or directory. You can also modify default ACL entries on a directory. Table 6-7 and Table 6-8 show the valid ACL entries.
Specifies one or more files or directories, separated by a space.
% getfacl filename
Example 6-9 Modifying ACL Entries on a File
In the following example, the permissions for the user anusha are modified to read and write.
% setfacl -m user:anusha:6 ch3.sgm % getfacl ch3.sgm # file: ch3.sgm # owner: stacey # group: techpubs user::rw- user::anusha:rw- #effective:r-- group::r- #effective:r-- mask:r-- other:r-
In the following example, the default permissions for the group staff are modified to read on the book directory. In addition, the default ACL mask permissions are modified to read and write.
% setfacl -m default:group:staff:4,default:mask:6 book
% setfacl -d acl-entry-list filename ...
Deletes the specified ACL entries.
Specifies the list of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 6-7 and Table 6-8 show the valid ACL entries.
Specifies one or more files or directories, separated by a space.
Alternatively, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries that are specified.
% getfacl filename
Example 6-10 Deleting ACL Entries on a File
In the following example, the user anusha is deleted from the ch4.sgm file.
% setfacl -d user:anusha ch4.sgm
% getfacl [-a | -d] filename ...
Displays the file name, file owner, file group, and ACL entries for the specified file or directory.
Displays the file name, file owner, file group, and the default ACL entries, if they exist, for the specified directory.
Specifies one or more files or directories, separated by a space.
If you specify multiple file names on the command line, the ACL entries are displayed with a blank line between each entry.
Example 6-11 Displaying ACL Entries for a File
In the following example, all the ACL entries for the ch1.sgm file are displayed. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.
% getfacl ch1.sgm # file: ch1.sgm # owner: stacey # group: techpubs user::rw- user:anusha:r- #effective:r-- group::rw- #effective:rw- mask:rw- other:---
In the following example, the default ACL entries for the book directory are displayed.
% getfacl -d book # file: book # owner: stacey # group: techpubs user::rwx user:anusha:r-x #effective:r-x group::rwx #effective:rwx mask:rwx other:--- default:user::rw- default:user:anusha:r-- default:group::rw- default:mask:rw- default:other:---