Access Control Lists (ACLs) in AIX

I have a directory named "/data" and a user called "steve"
To enable the ACL in this directory and add specific permissions to a user, type
# acledit /data
A screen like this will appear:
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
disabled
Using "vi" commands, change the extended permissions to "enabled", and add the specific permissions, like this: attributes: SGID
base permissions
owner(root): rwx
group(system): rwx
others: ---
extended permissions
enabled
permit rwx u:steve
permit r-x g:group
permit rw- u:test
------------------------------------------------
where:
r = read
w = write
x = execute
u= user
g= group
permit: to grant access
After this, save the file (like in "vi" editor).
To list the ACL´s, type
# aclget /data
To transfer the ACL permissions from a directory to another, type
# aclget /data |aclput /data2
Now we will collect all the acl's permission in an outputfile called as acldefs.
# aclget -o acldefs /data
Edit the file acldefs. and make the necessary changes as you want in the file. After changing the files for necessary ACL permission's save the file as we are going to use this file for our future input values.
Now to put the acl on the other directory / file with as per the changes you made in your file.
# aclput -i acldefs /data3
This will put the acl's on the file with the values specfied in the acldefs file. and now you can play with acl's.
Extended permissions:
AIXC ACL extended permissions allow the owner of a file to more precisely define access to that file. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations. Permissions are modified through the use of keywords.
The permit, deny, and specify keywords are defined as follows:
permit: Grants the user or group the specified access to the file
deny: Restricts the user or group from using the specified access to the file
specify: Precisely defines the file access for the user or group
A user is denied a particular access by either a deny or a specify keyword, no other entry can If override that access denial.
The enabled keyword must be specified in the ACL for the extended permissions to take effect.
The default value is the disabled keyword.
In an AIXC ACL, extended permissions are in the following format:
extended permissions:
enabled | disabled
permit Mode UserInfo...:
deny Mode UserInfo...:
specify Mode UserInfo...:
Use a separate line for each permit, deny, or specify entry. The Mode parameter is expressed as rwx (with a hyphen (-) replacing each unspecified permission). The UserInfo parameter is expressed as u:UserName, or g:GroupName, or a comma-separated combination of u:UserName and g:GroupName.
Note: If more than one user name is specified in an entry, that entry cannot be used in an access control decision because a process has only one user ID.

Linux Permissions along with ACL (access control list)

Linux file permissions are based upon three actions:

Read – read a file, on directories grants permission to read names of files in the directory (but not find any additional information size owner etc..)

Write – modify, delete rename a file, on directories it gives permission to modify entries inside the directory including create, delete and rename files

Execute – execute a file, on directories is grants permission to go into the directory and subdirectories it goes not grant read access to the directory

Linux also supports three additional permissions:

SUID – Set user ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the owner.

SGID – Set group ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the group, directories with the SGID new files and directories created under the original directory will inhert it's group from the SGID group.

sticky - when a file with this bit is set and it is executable it encourages the kernel to retain the resulting process beyond termination, when set upon a directory it prevents users who are not the owner from renaming, deleting or moving files or subdirectories.

Each file can be owned by a single user, group and everyone else. Other is everyone who is not the user or a member of the group. All directories are really just files in linux. Linux filenames can be up to 256 characters long. Linux permissions are not inherited except SGID directories. Since the 2.6 Kernel linux also support acl based file permissions giving you better control on your file system. You can see the permission user and group on a file by performing a long listing of a file:

ls -al

drwxr-xr-x 3 root root 4096 Nov 10 21:25 .
drwx—— 46 root root 4096 Nov 10 21:12 ..
drwxr-xr-x 2 jgriffiths users 4096 Nov 10 21:25 cheese
-rw-r–r– 1 root root 0 Nov 10 21:12 donkey.doc
-rw-r–r– 1 jgriffiths video 0 Nov 10 21:12 myfile.txt

This listing displays hidden files because we issued ls with the -a command line switch. The sections are divided as follows:

Sample	Field	Description
drwxr_xr_x	Permissions	Permissions on the directory or file
2	Directories	Amount of links (files and directories) inside the directory including itself
jgriffiths	User	Owner of this files username
users	Group	Group this file is owner by
4096	Size	Size of file in k-bytes
Nov 10 21:25	Modification time	Time of last change
cheese	Name	Name of directory or file

The permissions field is 11 characters broken down into four sections: type, owner permissions, group permissions and other permissions.

Characters #'s	Section	Description
1	type	This defines a directory vs a file or special type
2-4	owner permissions	This defines users permissions
5-7	group permissions	This defines group permissions
8-11	other permissions	This defines world permissions

There can be the following types:

Type	Description
d	Directory
l	Symbolic link
s	Socket
p	Named pipe
-	Normal file
c	Character device or special file
b	Block device or special file

Each of the user, group and other permissions files contain either a r,w,x or an -. They are always displayed in the order of rwx.

Type	Description
-	Not set not allowed to take action
r	Read permission
w	Write permission
x	Execute permission

For example the following listing:

drwxr-xr-x 2 root root 4096 Nov 10 21:25 cheese

Is a directory (d) with owner (root) read (r), write (w), execute (x), group (root) read (r), no-write (-), execute (x), other, read (r), no-write (-), and execute (x).

Additional Permissions

The additional permissions show up by replacing the execute bit with a character:

Permission	Class	Non-Executable	Executable
setuid	User	S	s
setgid	Group	S	s
Sticky bit	Others	T	t

Changing Permissions

In Linux you use the chmod command to change permissions of a file or directory. chmod can be used with an octal set of permissions or individually using characters to represent user (u), group (g), other (o), and an add (+), subtract (-). I will cover Octal permissions using numbers to represent combination permissions. When using octal permissions you seperate out permission in the following order user:group:other. Each permission type adds an amount to zero:

Read – Adds 4 to the total

Write – Adds 2 to the total

Execute – Adds 1 to the total

So permission 744 would be User: read,write, execute; Group read; Other read. The command to set a file to 744 would be:

chmod 744 filename

Changing Additional Permissions

Additional permissions take the first bit a hidden bit of the permissions:

The setuid bit adds 4 to the total.

The setgid bit adds 2 to the total.

The sticky bit adds 1 to the total.

If I wanted to set the permissions to 744 with the sticky bit set I would run this command:

chmod 1744 filename

Default Permissions – Umask

The umask defines the default permissions assigned to any file created by a user or system. You can assign your umask at any time by executing:

umask permissions

The permissions on umasks can be tricky. You need to take the permissions of 777 and subtract the umask. For example a user has the umask of 022 when he / she creates a file the default permissions are: 644.

Finding Files with Special Permissions

Since special permissions break the authentication method for Linux they can be very dangerous. There are some simple ways to locate suid and sgid files.

Find all SetGID files on your system:

find / -xdev -type f -perm +g=s -print'

Find all SetUID files on your system:

find / -xdev -type f -perm +u=s -print

Find all world writable files on a system:

find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -printtype f -perm +u=s -print

ACL File Permissions on 2.6 Kernel

The 2.6 Linux kernel added ACL's to file permissions (access control lists) it allows you to have unlimited number of users with individual permissions on a file. It also adds a level of complexity to your file system. Before you can work with ACL's you need to enable them on a mount point basis. Enabling ACL's requires adding the option acl to the /etc/fstab and remounting the mount point. For example take a look at this root partition:

/dev/hda5 / ext3 acl,user_xattr 1 1

This shows acl's enabled and ready to work. ACL can only be used on the following file systems: ext2/3, XFS, JFS and ReiserFS. The primary method for manipulating acl's is using the getfacl and setfacl commands. getfact allows you to display acl lists on a file or directory. setfacl allows you to set the current acl on a file or directory. In order to explain acl's lets assume that I have a unix system with four users jack,jill,bob and myself (jgriffiths). I want to create a file called test.txt and give jack and jill read and write permission to this file while bob can only read the file. I created the file and started with the following permissions:

ls -al test.txt
-rw——- 1 jgriffiths users 0 2007-11-16 23:37 test.txt

The permissions are clearly set to allow jgriffiths as the only person who can manipulate this file in anyway. setfacl allows you to set permissions for more than one user at a time. To create my acl permissions I would use the following command:

setfacl -m u:bob:r–,u:jack,jill:rw- tester.txt

I can use the getfacl to view the current effective permissions on the file:

getfacl test.txt

# file: test.txt

# owner: jgriffiths

# group: users

user:jill:rw-

user:jack:rwx

user:bob:r–

group::—

mask::r-x

other::—

So jack and jill can read and write while bob can only read. Everyone else but jgriffiths cannot do anything with this file. You will also notice an entry called mask. The mask sets the effective permissions for all acl groups and users. This allows you to limit acl's control maxium on a file or directory. Assume my mask looks like this in the above entry: mask::r– then no one would be able to do more than read this file unless they are the owner. You can set the mask using:

setfacl -m mask::rw- tester.txt

Viewing the rights of our file now produces an effective rights listing:

getfacl tester.txt

# file: tester.txt

# owner: jgriffiths

# group: users

user::rw-

user:jack:rw- #effective:r–

user:bob:r–

group::—

mask::r–

other::—

If we perform an ls -al on the file it produces the following confusing results:

-rw-rw—-+ 1 jgriffiths users 0 2007-11-17 00:01 test.txt

As you can see it seems the users group has read and write access to test.txt when in reality they do not. Also linux has added a + to the permission list to help us know there is a acl on this file.

ACL's can be added based upon Linux groups using the same setfacl command:

setfacl -m g:groupname:rw-,g:groupname_two:r test.txt

Removing acl based permission can be done using the -x command line parameter:

setfacl -x u:bob,u:jack tester.txt

Now only Jill can access the tester.txt file. Or we can removal all acl's on a file with the –remove-all:

setfacl –remove-all tester.txt

If you would like to recursively assign an acl to a directory and all files add an -R to the command use the following command:

setfacl -R -m g:users:r-x /data/webroot

ACL's viewed by the getfacl command can be piped into a file and used to generate the same acl on any other file using the setfacl command:

# getfacl -omit tester.txt

# setfacl -M myacl test*

# getfacl -omit test.txt

user:jill:rw-

user:jack:r-x

user:bob:r–

group::—

mask::r-x

other::—

You can also use gid's and uid's instead of names as long as you provide the -numeric switch to setfacl.

ACL's and Directories the Default ACL

ACL's created inherited permissions that allow subdirectories and file to get the permissions of their parent. This type of inheritance is easy to manage but can be a security concern make sure to consider carefully how you set acl's on directories because those same permissions will exist on the lower levels.

How to setup ACL

The access control list (ACL) is used to enforce privilege separation. It is a means of determining the appropriate access rights to a given object (such as files ) depending on certain aspects of the process that is making the request.

On file systems the process's user identifier (effective UID) is the principal means of control. 

Why ACL required?
Usually UNIX read, write, execute permission are more than sufficient but in many cases you need to setup a complex permission for accessing files. ACL makes managing permissions quite easy under FreeBSD (and Linux).

Prepare filesystem to use ACL
To use ACLs under FreeBSD, remount filesystem with acls option:

Code:

# mount -o acls -u /usr

However latest version of FreeBSD may not allow you to mount partition due to security settings. Open your /etc/fstab file and modify entry as follows:

Code:

vi /etc/fstab

Now setup acls option, at the end modification should look as follows:

Code:

/dev/ad0s1f             /usr            ufs     rw,acls         2       2

Save and close the file. Reboot FreeBSD:

Code:

# sync;sync
# reboot

Verify that /usr filessystem is mounted with ACLs option:

Code:

# mount

/dev/ad0s1f on /usr (ufs, local, soft-updates, acls)

Task: Set ACL using setfacl
The setfacl utility or command sets or modifies discretionary access control information on the specified file. 

Each ACL is made of 3 tags. It contains colon-separated fields as follows:
tag:qualifier:access-permissions

=> tag field is use to setup user, group or other permission. It can consists of one of
the following

• u - specifying the access granted to the owner of the file or a specified user
• g - specifying the access granted to the file owning group or a specified group
• o - specifying the access granted to any process that does not match any user or group

=> qualifier filed is nothing but user or group name.
=> access-permissions field contains up to one of each of the following:

• r : set read permission
• w : set write permission
• x : set execute permissions

Each of these may be excluded or placed with a '-' character to indicate no access.

In short use following syntax for each group of users to setup ACL:

To setup user/owner ACL

Code:

u:user-name:mode

To setup group ACL

Code:

g:group-name:mode

To setup others ACL

Code:

o:mode

Task: get or display ACL information
Use getfacl command to display ACL information.

Code:

$ getfacl file.txt

#file:file.txt
#owner:1001
#group:1001
user::rw-
group::r--
other::r--

Task: set new ACL for user/owner 
Sets read only permissions for the file called file.txt for owner:

Code:

setfacl -m u::r file.txt

Now see new permission 

Code:

getfacl file.txt

#file:file.txt
#owner:1001
#group:1001
user::r--
group::r--
mask::r--
other::r--

Now Sets read, write, and execute permissions for the file called file.txt for owner:

Code:

setfacl -m u::rwx file.txt
getfacl file.txt

Task: Copy file.txt ACL to file2.txt

Code:

touch file2.txt
getfacl file2.txt
getfacl file.txt

Now copy file.txt ACL to file2.txt:

Code:

getfacl file.txt | setfacl -b -n -M - file2.txt
getfacl file2.txt

There are lots of options available and I will cover them later on.