8/3/2015

UsingSolarisACLs
ForCurrent: Faculty Staff GradStudents Undergrads

Home

Department

DEPARTMENT
Contact

People

Research

ContactUs DukeUniversity SiteMap

Education

News&Media

Events

IndustryPartners

Alumni

UsingSolarisACLs

Overview

AnACL(AccessControlList)facilityisavailableondiskpartitionshostedon

ForVisitors

serversrunningSolarisOS.[Note:AsofJanuary2002,thehomefilesystems

CSLab
FAQS

havebeenmovedtoaNetworkApplianceFiler.Whileprovidingincreased

Linux

performanceandcapacity,itdoesnotcurrentlysupportSolarisACLsusers

Mac

dependingonthisfeatureshouldcontacttheLabStaff.Thisdeficiencyis

Windows

expectedtoberemediedwhenNFSv4isreleased.]

Wiki
Policies
Security
Facilities
Accounts
Updates
Documentation
SecureWebServer

SolarisACLs(AccessControlLists)
IfyouneedmorecomplexfilepermissionsthanthestandardUNIXpermissionsallow
for,youmaywanttoconsiderusingAccessControlLists(ACLs)underSolaris.
Theseallowyoutosetpermissionsonyourfilesanddirectoriestograntordeny
accesstoarbitrarycombinationsofindividualusersandgroups.

Requests

Note:TheACLswillonlyworkunderSolaris.Sofornetworkedfilesystems,boththe
serverandtheclientmustberunningSolaris.
WewillconsiderafilecreatedwithtypicalUNIXpermissions:

user@login%lsltestfile

rwrr1userprof2352Jan2913:37testfile

ThedefaultACLforthisfilecanbeseenusingthegetfaclcommand:

user@login%getfacltestfile

#file:testfile

#owner:user

#group:prof

user::rw

group::r#effective:r

mask:r

other:r

Theuserandgrouppermissionsarethosefortheowner(user)andthedefaultgroup
(prof),respectively.Themaskindicatesthemaximumpermissionavailabletoall
users,excepttheowner.Theeffectivepermission,totherightofthegroup
permission,representstheintersection(bitwiseAND)ofthespecifiedpermissionsfora
user/groupandthemaskfield.Theeffectivepermissioniswhatauser,otherthan
theowner,willseewhentheytrytoaccessthefile.
ForfileswithACLentries,thechmodcommandwillchangethedefaultmaskforthe
file,aswellaschangethestandardUNIXpermissions.Fromthesetfaclmanual
page:

``TheACLmaskindicatesthemaximumpermissionsallowedfor

users(otherthantheowner)andforgroups.Themaskisa

quickwaytochangepermissionsonalltheusersandgroups.''

http://www.cs.duke.edu/csl/faqs/solarisacls.php

1/3

8/3/2015

UsingSolarisACLs

ToaddACLentriestoafile,oneusesthesetfaclcommand.Thesyntaxforanaccess
recordis

token:name:perms

Thereareseveralpossibletokensashort,butmostlycomprehensivelistofthe
possibletypesofACLentriesisasfollows:

user:uid:perms

group:gid:perms

other:perms

mask:perms

Hereuid/gidmaybeeitheraUNIXuser/groupnameoranumericuser/groupID.
ThepermsarestandardUNIXfilepermissions(i.e.r,w,x).Permissionsmaybe
specifiedeitherassymboliccharactersoranumber(thesameasforthechmod
command).Multiplerecordsmaybeaddedbyasinglecommand,separatedby
commas.
Toadd/modifyrecordsusingthesetfaclcommand,oneofthreeoptionsisrequired.
ThesoptionwillsettheACL,replacinganypreviousentries.Themoptionwill
modifyoradd,anadditionalentryandtheffilenamewillsetACLentriesas
containedinfilename.ACLentriescanberemovedfromafileusingthedoptioncan
beusedtoremoveoneormoreACLentries.Additionallytheroptioncanbeusedto
automaticallyrecalculatethemasktogivetheproperaccessforanewlyset/modified
ACLotherwiseanACLmaskentrymustbegivenonthecommandline.Thedefault
maskcanalsobechangedusingthestandardUNIXchmodcommand.
Forexample,toadd``read''and``write''permissionsforthegrouptune,the
followingcommandwouldbeused:

user@login%setfaclrmgroup:tune:rwtestfile

ThemoptioncausesthedefaultACLtobemodified,theroptionrecalculatesthe
ACLmaskforthefile.Theoutputofthegetfaclcommandmightthenread:

user@login%getfacltestfile

#file:testfile

#owner:user

#group:prof

user::rw

group::r#effective:r

group:tune:rw#effective:rw

mask:rw

other:r

Notetheadditionofthegroupentryforthetunegroupaswellastherecalculated
maskentry.TheoutputofthelscommandwillnowreflectthatACLshavebeen
enabledforthisfilebytheadditionofa+attheendoftheregularUNIXpermissions.

user@login%lsltestfile

rwrr+1userprof2352Jan2913:38testfile

Membersofthegrouptunemaynowreadandwritetothisfile.Notethatusingthe
chmodcommandonthefilewillchangethedefaultmask,possiblypreventingusersor
groupsfromaccessingthefile.Besurethatthe"effective"permissionsshowninthe
ACLmatchthepermissionyouwishtogivetoauserorgroup.
Toturnthepermissionsforafile"off"usethedoptiontosetfacl,specifyingwhich
accessrecordtodelete:

http://www.cs.duke.edu/csl/faqs/solarisacls.php

2/3

8/3/2015

UsingSolarisACLs

user@login%setfaclrdgroup:tunetestfile

Thedtfilefilemanagerprovidesaneasy,graphicalinterfacetomanagingSolaris
ACLs.UndertheSelected>Propertiesmenuthereisabuttonto"ShowAccess
ControlList".Herepermissionsforaparticularuserorgroupcanbeaddedtoor
removedfromafile.Theprogrammakessurethemasksettingiscorrecttogivethe
intendedpermissions.ThisprogramispartoftheCDEdesktopenvironment,butcan
beinvokedunderOpenWindowsaswell.

ACLsondirectories
ACLscanalsobesetondirectories.IfregularACLsaresetaswiththefileexample
above,theeffectisjusttocontrolaccesstothedirectory.AnadditionalclassofACLs
arealsoavailableforuseondirectoriesthesearecalleddefaultACLs.DefaultACLs
automaticallypropagatetoanynewfilesanddirectoriescreatedinthisdirectory.This
willalsoeffect(set)thepermissionbitsonthecreatedfiles.Thiscanbeusedasa
mechanismto,eg,automaticallysetg+wonnewfiles,whichmightbeusefulin
certainshareddirectories.
DefaultACLsareabitcomplexandareoutofthescopeofthisdocument.Please
consultthesetfaclmanualpageformoredetails.
Ifyouhaveanyquestions,pleasecontacttheLabStaff.

Commentstowebmaster@cs.duke.edu|Reportanerroronthispage|DukeUniversityDepartmentofComputerScience2015.

http://www.cs.duke.edu/csl/faqs/solarisacls.php

3/3