Escolar Documentos
Profissional Documentos
Cultura Documentos
UsingSolarisACLs
ForCurrent: Faculty Staff GradStudents Undergrads
Home
Department
DEPARTMENT
Contact
People
Research
Education
News&Media
Events
IndustryPartners
Alumni
UsingSolarisACLs
Overview
AnACL(AccessControlList)facilityisavailableondiskpartitionshostedon
ForVisitors
serversrunningSolarisOS.[Note:AsofJanuary2002,thehomefilesystems
CSLab
FAQS
havebeenmovedtoaNetworkApplianceFiler.Whileprovidingincreased
Linux
performanceandcapacity,itdoesnotcurrentlysupportSolarisACLsusers
Mac
dependingonthisfeatureshouldcontacttheLabStaff.Thisdeficiencyis
Windows
expectedtoberemediedwhenNFSv4isreleased.]
Wiki
Policies
Security
Facilities
Accounts
Updates
Documentation
SecureWebServer
SolarisACLs(AccessControlLists)
IfyouneedmorecomplexfilepermissionsthanthestandardUNIXpermissionsallow
for,youmaywanttoconsiderusingAccessControlLists(ACLs)underSolaris.
Theseallowyoutosetpermissionsonyourfilesanddirectoriestograntordeny
accesstoarbitrarycombinationsofindividualusersandgroups.
Requests
Note:TheACLswillonlyworkunderSolaris.Sofornetworkedfilesystems,boththe
serverandtheclientmustberunningSolaris.
WewillconsiderafilecreatedwithtypicalUNIXpermissions:
user@login%lsltestfile
rwrr1userprof2352Jan2913:37testfile
ThedefaultACLforthisfilecanbeseenusingthegetfaclcommand:
user@login%getfacltestfile
#file:testfile
#owner:user
#group:prof
user::rw
group::r#effective:r
mask:r
other:r
Theuserandgrouppermissionsarethosefortheowner(user)andthedefaultgroup
(prof),respectively.Themaskindicatesthemaximumpermissionavailabletoall
users,excepttheowner.Theeffectivepermission,totherightofthegroup
permission,representstheintersection(bitwiseAND)ofthespecifiedpermissionsfora
user/groupandthemaskfield.Theeffectivepermissioniswhatauser,otherthan
theowner,willseewhentheytrytoaccessthefile.
ForfileswithACLentries,thechmodcommandwillchangethedefaultmaskforthe
file,aswellaschangethestandardUNIXpermissions.Fromthesetfaclmanual
page:
``TheACLmaskindicatesthemaximumpermissionsallowedfor
users(otherthantheowner)andforgroups.Themaskisa
quickwaytochangepermissionsonalltheusersandgroups.''
http://www.cs.duke.edu/csl/faqs/solarisacls.php
1/3
8/3/2015
UsingSolarisACLs
ToaddACLentriestoafile,oneusesthesetfaclcommand.Thesyntaxforanaccess
recordis
token:name:perms
Thereareseveralpossibletokensashort,butmostlycomprehensivelistofthe
possibletypesofACLentriesisasfollows:
user:uid:perms
group:gid:perms
other:perms
mask:perms
Hereuid/gidmaybeeitheraUNIXuser/groupnameoranumericuser/groupID.
ThepermsarestandardUNIXfilepermissions(i.e.r,w,x).Permissionsmaybe
specifiedeitherassymboliccharactersoranumber(thesameasforthechmod
command).Multiplerecordsmaybeaddedbyasinglecommand,separatedby
commas.
Toadd/modifyrecordsusingthesetfaclcommand,oneofthreeoptionsisrequired.
ThesoptionwillsettheACL,replacinganypreviousentries.Themoptionwill
modifyoradd,anadditionalentryandtheffilenamewillsetACLentriesas
containedinfilename.ACLentriescanberemovedfromafileusingthedoptioncan
beusedtoremoveoneormoreACLentries.Additionallytheroptioncanbeusedto
automaticallyrecalculatethemasktogivetheproperaccessforanewlyset/modified
ACLotherwiseanACLmaskentrymustbegivenonthecommandline.Thedefault
maskcanalsobechangedusingthestandardUNIXchmodcommand.
Forexample,toadd``read''and``write''permissionsforthegrouptune,the
followingcommandwouldbeused:
user@login%setfaclrmgroup:tune:rwtestfile
ThemoptioncausesthedefaultACLtobemodified,theroptionrecalculatesthe
ACLmaskforthefile.Theoutputofthegetfaclcommandmightthenread:
user@login%getfacltestfile
#file:testfile
#owner:user
#group:prof
user::rw
group::r#effective:r
group:tune:rw#effective:rw
mask:rw
other:r
Notetheadditionofthegroupentryforthetunegroupaswellastherecalculated
maskentry.TheoutputofthelscommandwillnowreflectthatACLshavebeen
enabledforthisfilebytheadditionofa+attheendoftheregularUNIXpermissions.
user@login%lsltestfile
rwrr+1userprof2352Jan2913:38testfile
Membersofthegrouptunemaynowreadandwritetothisfile.Notethatusingthe
chmodcommandonthefilewillchangethedefaultmask,possiblypreventingusersor
groupsfromaccessingthefile.Besurethatthe"effective"permissionsshowninthe
ACLmatchthepermissionyouwishtogivetoauserorgroup.
Toturnthepermissionsforafile"off"usethedoptiontosetfacl,specifyingwhich
accessrecordtodelete:
http://www.cs.duke.edu/csl/faqs/solarisacls.php
2/3
8/3/2015
UsingSolarisACLs
user@login%setfaclrdgroup:tunetestfile
Thedtfilefilemanagerprovidesaneasy,graphicalinterfacetomanagingSolaris
ACLs.UndertheSelected>Propertiesmenuthereisabuttonto"ShowAccess
ControlList".Herepermissionsforaparticularuserorgroupcanbeaddedtoor
removedfromafile.Theprogrammakessurethemasksettingiscorrecttogivethe
intendedpermissions.ThisprogramispartoftheCDEdesktopenvironment,butcan
beinvokedunderOpenWindowsaswell.
ACLsondirectories
ACLscanalsobesetondirectories.IfregularACLsaresetaswiththefileexample
above,theeffectisjusttocontrolaccesstothedirectory.AnadditionalclassofACLs
arealsoavailableforuseondirectoriesthesearecalleddefaultACLs.DefaultACLs
automaticallypropagatetoanynewfilesanddirectoriescreatedinthisdirectory.This
willalsoeffect(set)thepermissionbitsonthecreatedfiles.Thiscanbeusedasa
mechanismto,eg,automaticallysetg+wonnewfiles,whichmightbeusefulin
certainshareddirectories.
DefaultACLsareabitcomplexandareoutofthescopeofthisdocument.Please
consultthesetfaclmanualpageformoredetails.
Ifyouhaveanyquestions,pleasecontacttheLabStaff.
Commentstowebmaster@cs.duke.edu|Reportanerroronthispage|DukeUniversityDepartmentofComputerScience2015.
http://www.cs.duke.edu/csl/faqs/solarisacls.php
3/3