JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 1/13 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

Using UNIX Permissions to Protect Files

Commands for Viewing and Securing Files

File and Directory Ownership

UNIX File Permissions

Special File Permissions (setuid, setgid and Sticky Bit)

setuid Permission

setgid Permission

Sticky Bit

Default umask Value

File Permission Modes

Using Access Control Lists to Protect UFS Files

ACL Entries for UFS Files

ACL Entries for UFS Directories

Commands for Administering UFS ACLs

Preventing Executable Files From Compromising Security

Protecting Files (Task Map)

Protecting Files With UNIX Permissions (Task Map)

How to Display File Information

How to Change the Owner of a Local File

How to Change Group Ownership of a File

How to Change File Permissions in Symbolic Mode

How to Change File Permissions in Absolute Mode

How to Change Special File Permissions in Absolute Mode

Protecting UFS Files With ACLs (Task Map)

How to Check if a File Has an ACL

How to Add ACL Entries to a File

How to Copy an ACL

How to Change ACL Entries on a File

How to Delete ACL Entries From a File

How to Display ACL Entries for a File

Protecting Against Programs With Security Risk (Task Map)

How to Find Files With Special File Permissions

How to Disable Programs From Using Executable Stacks

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Secure Shell (Tasks)

20.  Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

Using Access Control Lists to Protect UFS Files

Traditional UNIX file protection provides read, write, and execute permissions for the three user classes: file owner, file group, and other. In a UFS file system, an access control list (ACL) provides better file security by enabling you to do the following:

Note - For ACLs in the ZFS file system and ACLs on NFSv4 files, see Chapter 7, Using ACLs and Attributes to Protect Oracle Solaris ZFS Files, in Oracle Solaris ZFS Administration Guide.

For example, if you want everyone in a group to be able to read a file, you can simply grant group read permissions on that file. Now, assume that you want only one person in the group to be able to write to that file. Standard UNIX does not provide that level of file security. However, an ACL provides this level of file security.

On a UFS file system, ACL entries are set on a file through the setfacl command. UFS ACL entries consist of the following fields separated by colons:

entry-type:[uid|gid]:perms
entry-type

Is the type of ACL entry on which to set file permissions. For example, entry-type can be user (the owner of a file) or mask (the ACL mask). For a listing of ACL entries, see Table 6-7 and Table 6-8.

uid

Is the user name or user ID (UID).

gid

Is the group name or group ID (GID).

perms

Represents the permissions that are set on entry-type. perms can be indicated by the symbolic characters rwx or an octal number. These are the same numbers that are used with the chmod command.

In the following example, an ACL entry sets read and write permissions for the user stacey.

user:stacey:rw-
Caution

Caution - UFS file system attributes such as ACLs are supported in UFS file systems only. Thus, if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.

ACL Entries for UFS Files

The following table lists the valid ACL entries that you might use when setting ACLs on files. The first three ACL entries provide the basic UNIX file protection.

Table 6-7 ACL Entries for UFS Files

ACL Entry
Description
u[ser]::perms
File owner permissions.
g[roup]::perms
File group permissions.
o[ther]:perms
Permissions for users other than the file owner or members of the file group.
m[ask]:perms
The ACL mask. The mask entry indicates the maximum permissions that are allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups.

For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though their accounts state that they have write and execute permissions.
u[ser]:uid:perms
Permissions for a specific user. For uid, you can specify either a user name or a numeric UID.
g[roup]:gid:perms
Permissions for a specific group. For gid, you can specify either a group name or a numeric GID.

ACL Entries for UFS Directories

In addition to the ACL entries that are described in Table 6-7, you can set default ACL entries on a directory. Files or directories created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 6-8 lists the default ACL entries for directories.

When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the file owner, file group, others, and the ACL mask. These entries are required. They are the first four default ACL entries in the following table.

Table 6-8 Default ACL Entries for UFS Directories

Default ACL Entry
Description
d[efault]:u[ser]::perms
Default file owner permissions.
d[efault]:g[roup]::perms
Default file group permissions.
d[efault]:o[ther]:perms
Default permissions for users other than the file owner or members of the file group.
d[efault]:m[ask]:perms
Default ACL mask.
d[efault]:u[ser]:uid:perms
Default permissions for a specific user. For uid, you can specify either a user name or a numeric UID.
d[efault]:g[roup]:gid:perms
Default permissions for a specific group. For gid, you can specify either a group name or a numeric GID.

Commands for Administering UFS ACLs

The following commands administer ACLs on UFS files or directories.

setfacl command

Sets, adds, modifies, and deletes ACL entries. For more information, see the setfacl(1) man page.

getfacl command

Displays ACL entries. For more information, see the getfacl(1) man page.

Copyright © 2002, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next