Access Control Lists (ACLs)

File access permissions originate from the early days of UNIX, and they provide enough flexibility in accessing UNIX resources (objects) to meet most daily needs. This approach was made even more flexible by introducing secondary groups as desired, and by grouping individual users on a per need basis. Nevertheless, the continual development and growth in the implementation of UNIX as a platform for different applications required an even more selective approach. Modern UNIX flavors introduced Access Control Lists (ACLs) to respond to new demands.

ACLs are a key enforcement mechanism of discretionary access control (DAC), used to specify access to files by users and groups more selectively than with traditional UNIX mechanisms. ACLs permit or deny access to a list of users, groups, or combinations thereof.

ACLs are supported as a superset of the UNIX operating system DAC mechanism for files, directories, and devices.

An access control list is a set of (user.group, mode) entries associated with a file that specify permissions for all possible user-ID/group-ID combinations. An entry in an ACL specifies access rights for one user and group combination. Three bits in an ACL entry represent read, write, and execute-search permissions. These permissions coexist with the traditional mode bits associated with every file in the filesystem.

An individual ACL entry could be considered restrictive or permissive depending on the context. Restrictive entries deny a user and/or group access that would otherwise be granted by less specific base or optional ACL entries. Permissive entries grant a user and/or group access that would otherwise be denied by less specific base or optional ACL entries.

The right to alter ACL entries is granted to file (object) owners and to privileged users.

Privileged users are superusers and members of certain privileged groups.

For a better understanding of the relationship between ACLs and traditional file permissions, let us consider the following file and its permissions:

Permissions User Group Filename

-rwxr-xr-- bjl admin datafile

The file owner is: bjl

The file’s group is: admin

The name of the file is: datafile The file owner permissions are: rwx The file group permissions are: r-x The file other permissions are:

r--When a file is created, three base access control list entries are mapped from the file’s access permission bits to match the file’s owner and group and its traditional permission bits. The three base ACL entries are:

1. Base ACL entry for the file’s owner: (uid.%, mode) 2. Base ACL entry for the file’s group: (%.gid, mode) 3. Base ACL entry for other users: (%.%, mode)

The basic form of an ACL entry is (user.group, mode). user and group can be repre-sented by names or ID numbers; mode is reprerepre-sented by a letter (r, w, and x if the corresponding access is granted, or dash “-”if the access is denied). Two special symbols may also be used:

1. % symbol, representing no specific user or group 2. @ symbol, representing the current file owner or group

ACLs are superimposed on the file’s traditional permissions; however, managing ACLs does not affect the traditional file mode. There is no way to change the traditional file permissions by using ACL-specific commands (the opposite is not true because base ACL entries are synchronized with the traditional file permissions). Both the traditional UNIX command chmod and ACL-specific commands may be used to change base ACL entries.

Optional ACL entries contain additional access control information, which the privileged user can set with the available ACL-specific commands to further allow or deny file access.

Up to 13 additional user/group combinations may be specified. For example, the following optional ACL entries could be associated with the presented file datafile:

(mhr.admin, rwx) Grant read, write, and execute access to user mhr in group admin (mnm.%, ---) Deny any access to user mnm in no specific group (any group) ACL entries are unique; there can only be one (user.group,mode) entry for any pair of user and group values; one (user.%, mode) entry for a given value of user; one (%.group, mode) entry for a given value of group; and one (%.%, mode) entry for each file.

There are several UNIX commands to manage ACLs, and they are all UNIX-flavor specific. Although they all have essentially the same mission, they have different command names. We will focus on Solaris-specific ACL commands.

The getfacl command is available on Solaris to display discretionary file information:

getfacl [-ad]filename(s) where

option -a Display the filename, owner, group, and file’s ACL

option -d Display the filename, owner, group, and default file’s ACL (if it exists) no option Display the filename, owner, group, file’s ACL, and default file’s ACL (if it exists) filename The filename in the current directory, or full-path filename. (multiple

filenames are separated by a space; a blank line separates displayed ACLs) A few examples (the selected file is /etc/vfstab):

$ getfacl /etc/vfstab

# file: /etc/vfstab # The first three lines specify the filename, user-owner and group owner; they start with pound sign (“#”).

# owner: root

# group: other

user::r-- # Permissions for user-owner (because the second field is empty).

group::r-- #effective:r -- # Permissions for group owner (because the second field is empty).

mask:r-- # Maximum permissions allowed to any user except user-owner, and to any group (including group owner);

they restrict the permissions specified in other entries.

other:r-- # Permissions granted to others.

In order to indicate when the group class permission bits restrict an ACL entry, an additional string “#effective:” specifies the actual permissions granted in the same line of the restricted entry; the string is separated by a tab character.

$ cd /etc

$ getfacl vfstab

# file: vfstab # This is the same command as in the previous example, except that the relative filename was specified.

# owner: root

# group: other

user::r--group::r-- #effective: r--

mask:r--

other:r--$ getfacl -a vfstab

# file: vfstab # For this file, the “option –a” and “no options” display the same output because there is no default ACL.

# owner: root

# group: other

user::r--group::r-- #effective: r--

mask:r--

other::r--$ getfacl -d vfstab

# file: vfstab # Only the first three lines are displayed because there is no default ACL.

# owner: root

# group: other

The Solaris setfacl command is available to modify an ACL for a file or files. Two forms of the command may be used:

setfacl [-r] [-s | -m | -d ]acl_entries filename(s) setfacl [-r] [-f]acl_file filename(s)

where

option -r Recalculates the permissions for the file’s group class entry (known as the mask entry). These permissions are ignored and replaced by the maximum permissions needed for the file group class, to grant access to any additional user, owning group, and additional group entries in the ACL.

The permissions for these entities remain unchanged.

option -s Sets the ACL to the entries specified on the command line; all old ACL entries are removed and replaced with the newly specified ACL.

option -m Adds one or more new ACL entries, and/or modifies one or more existing ACL entries; when modified, the specified permissions will replace the current permissions.

option -d Deletes one or more ACL entries; the file owner, owning group, and others may not be deleted. Deleting an ACL entry does not necessarily

have the same effect as removing all permissions from the entry by modifying the entry itself (an ACL entry superimposes on traditional file permissions).

option -f Sets the ACL to the entries contained within the file named acl_file on the command line (see acl_ file); the same constraints on specified entries in the acl_file hold as with -s option.

acl_entries One or more comma-separated ACL entries of the following format (all entries are not applicable for all options):

u[ser]::operm |perm u[ser]:uid:operm |perm g[roup]::operm |perm g[roup]:gid:operm |perm m[ask]:operm |perm

d[efault]:u[ser]::operm |perm d[efault]:u[ser]:uid:operm |perm d[efault]:g[roup]::operm |perm d[efault]:g[roup]:gid: operm |perm d[efault]:m[ask]:operm |perm d[efault]:o[ther]:operm |perm

Where perm is a permissions string composed of the letters r(read), w(write), and x(execute); the dash (-) may be specified as a place holder.

operm is an octal representation of the above permissions, 7 -> all permissions (rwx), 0 -> no permissions (---)

uid is a login name or user ID; for user-owner is empty gid is a group name or group ID; for group-owner is empty

acl_ file The file that contains ACL entries; an ACL entry is specified as a single line. Comments are permitted and they start with pound sign (#). The file can be created as an output of the getfacl command.