Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: setting ACL's
Special Forums Cybersecurity setting ACL's Post 3917 by Neo on Friday 13th of July 2001 02:19:27 PM
Old 07-13-2001
Yes, an ACL layer in the kernel /systemuses these functions. Sorry, I was talking more generic. You can do most of what you described in your original post with chown and chmod and don't need complex ACLs.

You said:
Quote:
My idea is, that when a file is created by user x, and the default owning user is y, the ownership is set to y.
This can be done with an SUID script in the shell and does not require the complexity of ACLs. Most organizations that I have worked with set up ACLs do so at the system call and system object level; not at the user file permissions level. ACLs slow down performance and there needs to be a very compelling to use them.

In your original post, the compelling reason to use lower level ACLs is not obvious to me. That is why I suggested a chown wrapper.

 

10 More Discussions You Might Find Interesting

1. Programming

i can't use 'make' in my computer?

I need to compile a file,but 'make' does not work.please tell me how to use it or need which tools? (3 Replies)
Discussion started by: dsun5
3 Replies

2. Shell Programming and Scripting

Clearify what it means under 'WHAT' when hit the 'w'-command

I wonder how I shall read the result below, especially 'what' shown below. The result was shown when I entered 'w'. E.g what is TOP? What is gosh ( what does selmgr mean?)? login@ idle JCPU PCPU what 6:15am 7:04 39 39 TOP 6:34am 6:45 45 45 TOP 6:41am ... (1 Reply)
Discussion started by: Aelgen
1 Replies

3. UNIX for Dummies Questions & Answers

HELP! The '/var/adm/message' file increase every few seconds???

Hi, guys, I have a big problem. I've got a sun solaris 4.1.4 workstation, and the /var/adm/message file will add one row every few seconds. It becomes a large file in a short time. I wander if there are some mistakes configuring the workstation. the /var/adm/message is as follow: ... (3 Replies)
Discussion started by: cloudsmell
3 Replies

4. UNIX for Dummies Questions & Answers

quoting echo 'it's friday'

echo 'it's friday' why appear the > (3 Replies)
Discussion started by: yls177
3 Replies

5. UNIX for Advanced & Expert Users

How to remove a file with a leading dash '-' in it's name?

Somehow someone created a file named '-ov' in the root directory. Given the name, the how was probably the result of some cpio command they bozo'ed. I've tried a number of different ways to get rid of it using * and ? wildcards, '\' escape patterns etc.. They all fail with " illegal option --... (3 Replies)
Discussion started by: GSalisbury
3 Replies

6. Shell Programming and Scripting

What are the differences between 'bash' and 'sh'

Hopefully this doesn't come off as too much of a "newbie" question or a flamebait. But I have recently begun working with a Sun Solaris box after having spent the past five years working with RedHat. From what i can tell, thing look fairly similar and the 'man' command is some help. But I've... (7 Replies)
Discussion started by: deckard
7 Replies

7. Linux

setting acl on linux

Hi, while setting access control list I am getting error "Operation NOt Supported" Example :user A wants full access on test directory /home/user B/test, I dont want to add in secondary group bcz group has read permission, (1 Reply)
Discussion started by: manoj.solaris
1 Replies

8. AIX

setting acl

Hi, I want to know how to set acl in aix via smitty and shell prompt, wheather we needs to install additional packages. (0 Replies)
Discussion started by: manoj.solaris
0 Replies

9. UNIX for Dummies Questions & Answers

setting up ACL in Apache

Folks; How can i setup ACL in Apache so i can give a group of users (defined by their emails (all users under *@red.com) access to a web page? (10 Replies)
Discussion started by: moe2266
10 Replies

10. UNIX for Beginners Questions & Answers

Help setting ACL's

Folks, Solaris 10 issue When I add a new directory to a path, I only get the "group@" line in the ACL The parent directory ACL is drwxrws---+ 12 root teama 12 Jul 18 10:31 . owner@:rwxp-DaARWc---:------:allow group@:rwxp-DaARWc--s:fd----:allow ... (0 Replies)
Discussion started by: wilberforce
0 Replies

LEARN ABOUT HPUX

chacl

chacl(1)						      General Commands Manual							  chacl(1)

NAME

       chacl - add, modify, delete, copy, or summarize access control lists (ACLs) of files

SYNOPSIS

       acl file ...

       acl file ...

       aclpatt file ...

       fromfile tofile	...

       file...

DESCRIPTION

       extends	the  capabilities  of  chmod(1), by enabling the user to grant or restrict file access to additional specific users and/or groups.
       Traditional file access permissions, set when a file is created, grant or restrict access to the file's	owner,	group,	and  other  users.
       These file access permissions (eg., are mapped into three base access control list entries: one entry for the file's owner (umode), one for
       the file's group g, mode), and one for other users mode).

       enables a user to designate up to thirteen additional sets of permissions (called optional access control list  (ACL)  entries)	which  are
       stored in the access control list of the file.

       To use chacl, the owner (or superuser) constructs an acl, a set of (user.group, mode) mappings to associate with one or more files.  A spe-
       cific user and group can be referred to by either name or number; any user (u), group (g), or both can be referred to with a symbol, repre-
       senting any user or group.  The @ symbol specifies the file's owner or group.

       Read,  write,  and execute/search modes are identical to those used by chmod; symbolic operators (op) add remove or set access rights.  The
       entire acl should be quoted if it contains whitespace or special characters.  Although two variants for constructing the acl are  available
       (and fully explained in acl(5)), the following syntax is suggested:

	      entry[, entry] ...

       where the syntax for an entry is

	      u.g op mode[op mode] ...

       By  default,  modifies existing ACLs.  It adds ACL entries or modifies access rights in existing ACL entries.  If acl contains an ACL entry
       already associated with a file, the entry's mode bits are changed to the new value given, or are modified by the specified  operators.	If
       the  file's  ACL  does not already contain the specified entry, that ACL entry is added.  can also remove all access to files.  Giving it a
       null acl argument means either ``no access'' (when using the option) or ``no changes.''

       For a summary of the syntax, run without arguments.

       If file is specified as reads from standard input.

   Options
       recognizes the following options:

       Replace old    ACLs with the given ACL.	All optional ACL entries are first deleted from the specified files's ACLs, their base permissions
		      are  set to zero, and the new ACL is applied.  If acl does not contain an entry for the owner (uthe group g), or other users
		      of a file, that base ACL entry's mode is set to zero (no access).  The command affects all of the file's	ACL  entries,  but
		      does not change the file's owner or group ID.

		      In chmod(1), the ``modify'' and ``replace'' operations are distinguished by the syntax (string or octal value).  There is no
		      corollary for ACLs because they have a variable number of entries.  Hence modifies specific entries by default, and  option-
		      ally replaces all entries.

       Delete the specified entries from the
		      ACLs  on all specified files.  The aclpatt argument can be an exact ACL or an ACL pattern (see acl(5)).  updates each file's
		      ACL only if entries are deleted from it.

		      If you attempt to delete a base ACL entry from any file, the entry remains but its access mode is set to zero  (no  access).
		      If  you  attempt	to  delete  a  non-existent ACL entry from a file (that is, if an ACL entry pattern matches no ACL entry),
		      informs you of the error, continues, and eventually returns non-zero.

       Copy the       ACL from fromfile to the specified tofile, transferring ownership, if necessary (see  acl(5),  chown(2),	or  chownacl(3C)).
		      fromfile can be to represent standard input.

		      This option implies the option.  If the owner and group of fromfile are identical to those of tofile, is identical to:

		      To copy an ACL without transferring ownership, the above command is suggested instead of

       Delete (``zap'') all optional entries in the specified file's
		      ACLs, leaving only base entries.

       Delete (``zap'') all optional entries in the specified file's
		      ACLs,  and  set the access modes in all base entries to zero (no access).  This is identical to replacing the old ACL with a
		      null ACL:

		      or using chmod(1), which deletes optional entries as a side effect:

       Incorporate (``fold'') optional
		      ACL entries into base ACL entries.  The base ACL entry's permission  bits are altered, if necessary, to reflect the caller's
		      effective access rights to the file; all optional entries, if any, are deleted.

		      For ordinary users, only the access mode of the owner base ACL entry can be altered.  Unlike the write bit is not turned off
		      for a file on a read-only file system or a shared-text program being executed (see getaccess(1)).

		      For super-users, only the execute mode bit in the owner base ACL entry might be changed, only if the file is not an  regular
		      file or if an execute bit is not already set in a base ACL entry mode, but is set in an optional ACL entry mode.

       acl also can be obtained from a string in a file:

       Using @ in acl to represent ``file owner or group'' can cause to run more slowly because it must reparse the ACL for each file (except with
       the option).

EXTERNAL INFLUENCES

   Environment Variables
       determines the language in which messages are displayed.

       If is not specified or is set to the empty string, a default of "C" (see lang(5)) is used instead of If any  internationalization  variable
       contains an invalid setting, behaves as if all internationalization variables are set to "C".  See environ(5).

RETURN VALUE

       If succeeds, it returns a value of zero.

       If  encounters  an error before it changes any file's ACL, it prints an error message to standard error and returns 1.  Such errors include
       invalid invocation, invalid syntax of acl (aclpatt), a given user name or group name is unknown, or inability to get an ACL  from  fromfile
       with the option.

       If  cannot  execute  the  requested operation, it prints an error message to standard error, continues, and later returns 2.  This includes
       cases when a file does not exist, a file's ACL cannot be altered, more ACL entries would result than are allowed, or an attempt is made	to
       delete a non-existing ACL entry.

EXAMPLES

       The following command adds read access for user in any group, and removes write access for any user in the files's groups, for files and

       This  command  replaces	the  ACL  on  the file open as standard input and on file with one which only allows the file owner read and write
       access.

       Delete from file the specific access rights, if any, for user 165 in group 13.  Note that this is different from adding an ACL  entry  that
       restricts access for that user and group.  The user's resulting access rights depend on the entries remaining in the ACL.  The command also
       deletes all entries for user that have a read bit turned on (the asterisk can be used as a wildcard in the ACL pattern for user, group,	or
       access mode):

       Copy the ACL from to and

       Delete the optional ACL entries, if any, on the file open as standard input.

       Deny all access to all files in the current directory whose names start with or

       Incorporate the optional ACL entries of a file into the base ACL entries:

WARNINGS

       An  ACL	string cannot contain more than 16 unique entries, even though converting @ symbols to user or group names and combining redundant
       entries might result in fewer than 16 entries for some files.

DEPENDENCIES

       will fail when the target file resides on a file system which does not support ACLs.

   NFS
       Only the option is supported on remote files.

AUTHOR

       was developed by HP.

SEE ALSO

       chmod(1), getaccess(1), lsacl(1), getacl(2), setacl(2), acl(5), glossary(9).

																	  chacl(1)
All times are GMT -4. The time now is 11:58 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy