Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: setting ACL's
Special Forums Cybersecurity setting ACL's Post 3917 by Neo on Friday 13th of July 2001 02:19:27 PM
Old 07-13-2001
Yes, an ACL layer in the kernel /systemuses these functions. Sorry, I was talking more generic. You can do most of what you described in your original post with chown and chmod and don't need complex ACLs.

You said:
Quote:
My idea is, that when a file is created by user x, and the default owning user is y, the ownership is set to y.
This can be done with an SUID script in the shell and does not require the complexity of ACLs. Most organizations that I have worked with set up ACLs do so at the system call and system object level; not at the user file permissions level. ACLs slow down performance and there needs to be a very compelling to use them.

In your original post, the compelling reason to use lower level ACLs is not obvious to me. That is why I suggested a chown wrapper.

 

10 More Discussions You Might Find Interesting

1. Programming

i can't use 'make' in my computer?

I need to compile a file,but 'make' does not work.please tell me how to use it or need which tools? (3 Replies)
Discussion started by: dsun5
3 Replies

2. Shell Programming and Scripting

Clearify what it means under 'WHAT' when hit the 'w'-command

I wonder how I shall read the result below, especially 'what' shown below. The result was shown when I entered 'w'. E.g what is TOP? What is gosh ( what does selmgr mean?)? login@ idle JCPU PCPU what 6:15am 7:04 39 39 TOP 6:34am 6:45 45 45 TOP 6:41am ... (1 Reply)
Discussion started by: Aelgen
1 Replies

3. UNIX for Dummies Questions & Answers

HELP! The '/var/adm/message' file increase every few seconds???

Hi, guys, I have a big problem. I've got a sun solaris 4.1.4 workstation, and the /var/adm/message file will add one row every few seconds. It becomes a large file in a short time. I wander if there are some mistakes configuring the workstation. the /var/adm/message is as follow: ... (3 Replies)
Discussion started by: cloudsmell
3 Replies

4. UNIX for Dummies Questions & Answers

quoting echo 'it's friday'

echo 'it's friday' why appear the > (3 Replies)
Discussion started by: yls177
3 Replies

5. UNIX for Advanced & Expert Users

How to remove a file with a leading dash '-' in it's name?

Somehow someone created a file named '-ov' in the root directory. Given the name, the how was probably the result of some cpio command they bozo'ed. I've tried a number of different ways to get rid of it using * and ? wildcards, '\' escape patterns etc.. They all fail with " illegal option --... (3 Replies)
Discussion started by: GSalisbury
3 Replies

6. Shell Programming and Scripting

What are the differences between 'bash' and 'sh'

Hopefully this doesn't come off as too much of a "newbie" question or a flamebait. But I have recently begun working with a Sun Solaris box after having spent the past five years working with RedHat. From what i can tell, thing look fairly similar and the 'man' command is some help. But I've... (7 Replies)
Discussion started by: deckard
7 Replies

7. Linux

setting acl on linux

Hi, while setting access control list I am getting error "Operation NOt Supported" Example :user A wants full access on test directory /home/user B/test, I dont want to add in secondary group bcz group has read permission, (1 Reply)
Discussion started by: manoj.solaris
1 Replies

8. AIX

setting acl

Hi, I want to know how to set acl in aix via smitty and shell prompt, wheather we needs to install additional packages. (0 Replies)
Discussion started by: manoj.solaris
0 Replies

9. UNIX for Dummies Questions & Answers

setting up ACL in Apache

Folks; How can i setup ACL in Apache so i can give a group of users (defined by their emails (all users under *@red.com) access to a web page? (10 Replies)
Discussion started by: moe2266
10 Replies

10. UNIX for Beginners Questions & Answers

Help setting ACL's

Folks, Solaris 10 issue When I add a new directory to a path, I only get the "group@" line in the ACL The parent directory ACL is drwxrws---+ 12 root teama 12 Jul 18 10:31 . owner@:rwxp-DaARWc---:------:allow group@:rwxp-DaARWc--s:fd----:allow ... (0 Replies)
Discussion started by: wilberforce
0 Replies

LEARN ABOUT REDHAT

smbcacls

SMBCACLS(1)															       SMBCACLS(1)

NAME

       smbcacls - Set or get ACLs on an NT file or directory names

SYNOPSIS

       smbcacls  //server/share  filename [ -U username ]  [ -A acls ]	[ -M acls ]  [ -D acls ]  [ -S acls ]  [ -C name ]  [ -G name ]  [ -n ]  [
       -h ]

DESCRIPTION

       This tool is part of the  Samba suite.

       The smbcacls program manipulates NT Access Control Lists (ACLs) on SMB file shares.

OPTIONS

       The following options are available to the smbcacls program.  The format of ACLs is described in the section ACL FORMAT

       -A acls
	      Add the ACLs specified to the ACL list. Existing access control entries are unchanged.

       -M acls
	      Modify the mask value (permissions) for the ACLs specified on the command line. An error will be printed for each ACL specified that
	      was not already present in the ACL list

       -D acls
	      Delete  any ACLs specified on the command line.  An error will be printed for each ACL specified that was not already present in the
	      ACL list.

       -S acls
	      This command sets the ACLs on the file with only the ones specified on the command line. All other ACLs are erased.  Note  that  the
	      ACL specified must contain at least a revision, type, owner and group for the call to succeed.

       -U username
	      Specifies  a username used to connect to the specified service. The username may be of the form "username" in which case the user is
	      prompted to enter in a password and the workgroup specified in the smb.conf file is used, or  "username%password"  or  "DOMAINuser-
	      name%password" and the password and workgroup names are used as provided.

       -C name
	      The  owner of a file or directory can be changed to the name given using the -C option.  The name can be a sid in the form S-1-x-y-z
	      or a name resolved against the server specified in the first argument.

	      This command is a shortcut for -M OWNER:name.

       -G name
	      The group owner of a file or directory can be changed to the name given using the -G option. The name can  be  a	sid  in  the  form
	      S-1-x-y-z or a name resolved against the server specified n the first argument.

	      This command is a shortcut for -M GROUP:name.

       -n     This  option  displays  all  ACL information in numeric format. The default is to convert SIDs to names and ACE types and masks to a
	      readable string format.

       -h     Print usage information on the smbcacls program.

ACL FORMAT

       The format of an ACL is one or more ACL entries separated by either commas or newlines. An ACL entry is one of the following:

       REVISION:<revision number>
       OWNER:<sid or name>
       GROUP:<sid or name>
       ACL:<sid or name>:<type>/<flags>/<mask>

       The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor.  If not specified  it  defaults  to	1.
       Using values other than 1 may cause strange behaviour.

       The  owner  and group specify the owner and group sids for the object. If a SID in the format CWS-1-x-y-z is specified this is used, other-
       wise the name specified is resolved using the server on which the file or directory resides.

       ACLs specify permissions granted to the SID. This SID again can be specified in CWS-1-x-y-z format or  as  a  name  in  which  case  it	is
       resolved against the server on which the file or directory resides. The type, flags and mask values determine the type of access granted to
       the SID.

       The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to the SID. The flags values are generally zero for file  ACLs  and
       either 9 or 2 for directory ACLs. Some common flags are:

       o #define SEC_ACE_FLAG_OBJECT_INHERIT 0x1

       o #define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2

       o #define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4

       o #define SEC_ACE_FLAG_INHERIT_ONLY 0x8

       At present flags can only be specified as decimal or hexadecimal values.

       The mask is a value which expresses the access right granted to the SID. It can be given as a decimal or hexadecimal value, or by using one
       of the following text strings which map to the NT file permissions of the same name.

       o R - Allow read access

       o W - Allow write access

       o X - Execute permission on the object

       o D - Delete the object

       o P - Change permissions

       o O - Take ownership

       The following combined permissions can be specified:

       o READ - Equivalent to 'RX' permissions

       o CHANGE - Equivalent to 'RXWD' permissions

       o FULL - Equivalent to 'RWXDPO' permissions

EXIT STATUS

       The smbcacls program sets the exit status depending on the success or otherwise of the operations performed.  The exit status may be one of
       the following values.

       If  the	operation  succeeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect to the specified server, or there was an
       error getting or setting the ACLs, an exit status of 1 is returned. If there was an error parsing any command line arguments, an exit  sta-
       tus of 2 is returned.

VERSION

       This man page is correct for version 2.2 of the Samba suite.

AUTHOR

       The  original  Samba  software  and  related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

       smbcacls was written by Andrew Tridgell and Tim Potter.

       The conversion to DocBook for Samba 2.2 was done by Gerald Carter

								 19 November 2002						       SMBCACLS(1)
All times are GMT -4. The time now is 11:12 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy