Friday, February 13, 2009

Access Control Lists (ACLs) in AIX

I have a directory named "/data" and a user called "steve"

To enable the ACL in this directory and add specific permissions to a user, type
# acledit /data

A screen like this will appear:
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
disabled

Using "vi" commands, change the extended permissions to "enabled", and add the specific permissions, like this:
attributes: SGID
base permissions
owner(root): rwx
group(system): rwx
others: ---
extended permissions
enabled
permit rwx u:steve
permit r-x g:group
permit rw- u:test
------------------------------------------------
where:
r = read
w = write
x = execute
u= user
g= group
permit: to grant access

After this, save the file (like in "vi" editor).
To list the ACL´s, type

# aclget /data

To transfer the ACL permissions from a directory to another, type

# aclget /data |aclput /data2

Now we will collect all the acl's permission in an outputfile called as acldefs.

# aclget -o acldefs /data

Edit the file acldefs. and make the necessary changes as you want in the file. After changing the files for necessary ACL permission's save the file as we are going to use this file for our future input values.

Now to put the acl on the other directory / file with as per the changes you made in your file.

# aclput -i acldefs /data3

This will put the acl's on the file with the values specfied in the acldefs file. and now you can play with acl's.

Extended permissions:

AIXC ACL extended permissions allow the owner of a file to more precisely define access to that file. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations. Permissions are modified through the use of keywords.

The permit, deny, and specify keywords are defined as follows:

permit: Grants the user or group the specified access to the file

deny: Restricts the user or group from using the specified access to the file

specify: Precisely defines the file access for the user or group

A user is denied a particular access by either a deny or a specify keyword, no other entry can If override that access denial.

The enabled keyword must be specified in the ACL for the extended permissions to take effect.

The default value is the disabled keyword.
In an AIXC ACL, extended permissions are in the following format:
extended permissions:
enabled | disabled
permit Mode UserInfo...:
deny Mode UserInfo...:
specify Mode UserInfo...:

Use a separate line for each permit, deny, or specify entry. The Mode parameter is expressed as rwx (with a hyphen (-) replacing each unspecified permission). The UserInfo parameter is expressed as u:UserName, or g:GroupName, or a comma-separated combination of u:UserName and g:GroupName.

Note: If more than one user name is specified in an entry, that entry cannot be used in an access control decision because a process has only one user ID.