Access Control Lists

Previous page
Table of content
Next page

As described in Chapter 3, three different types of file permissions exist in UNIX, namely read (r), write (w), and execute (x), assigned to three different classes of users, namely owner, group, and others. However, this granularity of access control is not sufficient to grant access permissions to every possible set of users. For example, suppose you want to grant read permissions to a file only to yourself, as the owner of the file, users in the group of the file, and two other users not in this group, but not to all other users. This cannot be done using standard UNIX permissions. To remedy this problem, most UNIX variants, including Linux, Solaris, HP-UX, AIX, Mac OS X, and FreeBSD support access control lists (ACLs). ACLs can be used to grant access permissions to any possible set of users. We illustrate the use of ACL by discussing their use in HP-UX.

HP-UX ACLs

Each file on an HP-UX system (supporting access control lists) has its own ACL. An ACL consists of a list of access control entries (ACEs), where each ACL has the format (user.group, permissions), where user is a particular username or a % (percentage sign) and group is a particular group or a %. A % is used to indicate that access is not restricted to a specific user or group. Examples of ACEs are (ken11.group3, rw-), (robin13.%, r--), (%.group3, -w-), and (%.%,rw). These entries specify that user ken11 in group3 has only read and write permissions to this file, user robin13 has only read permission, all members of group3 are granted only write permission, and all users in all groups have only read and write permissions, respectively

On HP-UX the lsacl (list access control list) command is used to display the ACL of a file. For example, the command

 # lsacl memo (lori9.%, rw-) (ken11.%, rw-) (%.group4, rw-) (%, %, r--)

shows that lori9, ken11, and all users in group4 have read and write permissions on the file memo and other users in all groups have read permissions. Note that when a user attempts to access a file, ACEs are checked according to the form of their first entry. ACEs in which the first entry has the form uid.gid are checked first, followed by those where the first entry has the form uid.%, followed by those where the first entry has the form %.gid, followed by those where the first entry has the form %.%.

The chacl (change access control list) command is used to add, delete, or modify ACEs from an ACL. For instance, the command

 # chacl "robin13.%=rw" memo

is used to grant read and write permissions to robin13 for the file memo, 

 # chacl -d "ken11.group3=rw" memo

deletes the ACE that granted read and write permissions to ken11 for the file memo, and

 #chacl "heather3.group4-w" memo

removes write access to heather3 for the file memo.

For more details on how ACLs are used in HP-UX and how they behave when various commands are used, see your HP-UX manual pages or the book HP-UX System and Administration Guide by Jay Shah.



Previous page
Table of content
Next page
UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316
Authors: Kenneth Rosen, Douglas Host, Rachel Klee, Richard Rosinski
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Interprocess Communications in Linux: The Nooks and Crannies
Building Web Applications with UML (2nd Edition)
Cisco IOS Cookbook (Cookbooks (OReilly))
Cisco CallManager Fundamentals (2nd Edition)
File System Forensic Analysis
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy