Using Solaris ACLs

An ACL (Access Control List) facility is available on disk partitions hosted on servers running Solaris OS. [Note: As of January 2002, the home filesystems have been moved to a Network Appliance Filer. While providing increased performance and capacity, it does not currently support Solaris ACLs; users depending on this feature should contact the Lab Staff. This deficiency is expected to be remedied when NFSv4 is released.]

Solaris ACLs (Access Control Lists)

If you need more complex file permissions than the standard UNIX permissions allow for, you may want to consider using Access Control Lists (ACLs) under Solaris. These allow you to set permissions on your files and directories to grant or deny access to arbitrary combinations of individual users and groups.

Note: The ACLs will only work under Solaris. So for networked filesystems, both the server and the client must be running Solaris.

We will consider a file created with typical UNIX permissions:

	user@login% ls -l testfile 
	-rw-r--r--   1 user    prof         2352 Jan 29 13:37 testfile

The default ACL for this file can be seen using the getfacl command:

	user@login% getfacl testfile
	# file: testfile
	# owner: user
	# group: prof
	user::rw-
	group::r--              #effective:r--
	mask:r--
	other:r--

The user and group permissions are those for the owner (user) and the default group (prof), respectively. The mask indicates the maximum permission available to all users, except the owner. The effective permission, to the right of the group permission, represents the intersection (bitwise AND) of the specified permissions for a user/group and the mask field. The effective permission is what a user, other than the owner, will see when they try to access the file.

For files with ACL entries, the chmod command will change the default mask for the file, as well as change the standard UNIX permissions. From the setfacl manual page:

	``The ACL mask indicates the  maximum  permissions  allowed for
	users (other than the owner) and for groups. The mask is a
	quick way to change permissions on all the users and groups.''

To add ACL entries to a file, one uses the setfacl command. The syntax for an access record is

	token:name:perms

There are several possible tokens; a short, but mostly comprehensive list of the possible types of ACL entries is as follows:

	user:uid:perms
	group:gid:perms
	other:perms
	mask:perms

Here uid/gid may be either a UNIX user/group name or a numeric user/group ID. The perms are standard UNIX file permissions (i.e. r,w,x). Permissions may be specified either as symbolic characters or a number (the same as for the chmod command). Multiple records may be added by a single command, separated by commas.

To add/modify records using the setfacl command, one of three options is required. The -s option will set the ACL, replacing any previous entries. The -m option will modify or add, an additional entry and the -f filename will set ACL entries as contained in filename. ACL entries can be removed from a file using the -d option can be used to remove one or more ACL entries. Additionally the -r option can be used to automatically recalculate the mask to give the proper access for a newly set/modified ACL; otherwise an ACL mask entry must be given on the command line. The default mask can also be changed using the standard UNIX chmod command.

For example, to add ``read'' and ``write'' permissions for the group tune, the following command would be used:

	user@login% setfacl -r -m group:tune:rw- testfile

The -m option causes the default ACL to be modified, the -r option recalculates the ACL mask for the file. The output of the getfacl command might then read:

	user@login% getfacl testfile
	# file: testfile
	# owner: user
	# group: prof
	user::rw-
	group::r--              #effective:r--
	group:tune:rw-          #effective:rw-
	mask:rw-
	other:r--

Note the addition of the group entry for the tune group as well as the recalculated mask entry. The output of the ls command will now reflect that ACLs have been enabled for this file by the addition of a + at the end of the regular UNIX permissions.

	user@login% ls -l testfile
	-rw-r--r--+  1 user    prof         2352 Jan 29 13:38 testfile

Members of the group tune may now read and write to this file. Note that using the chmod command on the file will change the default mask, possibly preventing users or groups from accessing the file. Be sure that the "effective" permissions shown in the ACL match the permission you wish to give to a user or group.

To turn the permissions for a file "off" use the -d option to setfacl, specifying which access record to delete:

	user@login% setfacl -r -d group:tune testfile

The dtfile file manager provides an easy, graphical interface to managing Solaris ACLs. Under the Selected->Properties menu there is a button to "Show Access Control List". Here permissions for a particular user or group can be added to or removed from a file. The program makes sure the mask setting is correct to give the intended permissions. This program is part of the CDE desktop environment, but can be invoked under OpenWindows as well.

ACLs on directories

ACLs can also be set on directories. If regular ACLs are set as with the file example above, the effect is just to control access to the directory. An additional class of ACLs are also available for use on directories; these are called default ACLs. Default ACLs automatically propagate to any new files and directories created in this directory. This will also effect (set) the permission bits on the created files. This can be used as a mechanism to, eg, automatically set g+w on new files, which might be useful in certain shared directories.

Default ACLs are a bit complex and are out of the scope of this document. Please consult the setfacl manual page for more details.

If you have any questions, please contact the Lab Staff.