|
|
Sponsored Content
12-12-2000
Administrator
ACLs are a kernel (core build of the OS) extension and the way ACLs are implemented are dependent on the UNIX variety. Some UNIXes support ACLs, other do not. Please specify the kernel details of the UNIX you are running.
Quite a few years ago I was hanging with Linus and crew at the 1st Linux conference in Amsterdam. I pleaded with Linus to add ACLs and ACL event logging to the Linux kernel so my more security minded clients could run Linux. I am not sure if Linus ever added ACLs to the Linux kernel. He was dead-set against it many years ago (this was around 1994 so things might have changed).
I know HPUX has a very nice ACL system in the kernel. In fact, the HPUX ACLs are so good that many high-availability systems run HPUX for that reason. ACLs in HPUX can be set for things like kernel system calls, etc. The entire system can be set up to monitor and log system calls that the administrator deems necessary for security.
Systems that do not implement ACLs with a high degree of granularity are not normally used in high-assurance systems. (Let's don't get into defining 'high-assurance' in this thread, OK
)
[Edited by Neo on 12-13-2000 at 02:19 AM]
Quite a few years ago I was hanging with Linus and crew at the 1st Linux conference in Amsterdam. I pleaded with Linus to add ACLs and ACL event logging to the Linux kernel so my more security minded clients could run Linux. I am not sure if Linus ever added ACLs to the Linux kernel. He was dead-set against it many years ago (this was around 1994 so things might have changed).
I know HPUX has a very nice ACL system in the kernel. In fact, the HPUX ACLs are so good that many high-availability systems run HPUX for that reason. ACLs in HPUX can be set for things like kernel system calls, etc. The entire system can be set up to monitor and log system calls that the administrator deems necessary for security.
Systems that do not implement ACLs with a high degree of granularity are not normally used in high-assurance systems. (Let's don't get into defining 'high-assurance' in this thread, OK
)[Edited by Neo on 12-13-2000 at 02:19 AM]
|
|
8 More Discussions You Might Find Interesting
1. AIX
Hi,
I want to know how to set acl in aix via smitty and shell prompt, wheather we needs to install additional packages. (0 Replies)
Discussion started by: manoj.solaris
0 Replies
2. Shell Programming and Scripting
Hi,
I generated a script that will create the list of dir/sub-dir and will allow to create the same on diff server. this is what i have done :
#!/bin/ksh
# Script to migrate the directory between the two servers.
# Ver 0.1
# Author Krishna. D
# c - create and e - extract directory
if ;... (1 Reply)
Discussion started by: krishnadvn
1 Replies
3. Linux
Hi, I want to know what does the "effective" comment means in the output of the getfacl and whether it has to do with the acl mask...
thanks (0 Replies)
Discussion started by: Gartlar
0 Replies
4. Solaris
Can i get the synopsis for add multiple users in single command for ACL access for a directory or a file
thanks in advance
dinu (3 Replies)
Discussion started by: dinu
3 Replies
5. HP-UX
Hello,
I try to find what year HP-UX got support for ACL (Access Control List)? I know that HP-UX was the first Unix with ACL support, but it is very hard to find the information on when that occured.
So anyone here know when that did happen?
Any answers are appreciated,
/eXpander (1 Reply)
Discussion started by: eXpander
1 Replies
6. UNIX for Advanced & Expert Users
Hi Friends,
I went through the ACL threads that were posted in the past but none were matching to my requirement . Hence starting a new thread .
Challenge :
user : a
group : Test1
user: b
group: Test2
Say under user a i create dir /tmp/debug with the privilege of 755 and also... (3 Replies)
Discussion started by: leobreaker
3 Replies
7. UNIX for Dummies Questions & Answers
Hi..
Could someone explain about setfacl,getfacl in unix and its uses.
Regards,
Suresh (1 Reply)
Discussion started by: suresh sunkara
1 Replies
8. UNIX for Advanced & Expert Users
All,
I am trying to clear ACL's completely from all files and folders in a directory. I can get the directories as cleared as:
# owner: root
# group: root
user::rwx
group::r-x
other::rwx
default:user::rwx
default:group::r-x
default:other::r-x
What ever I do I can't remove the... (4 Replies)
Discussion started by: hburnswell
4 Replies
LEARN ABOUT OSF1
sys_attrs_sec
sys_attrs_sec(5) File Formats Manual sys_attrs_sec(5) NAME
sys_attrs_sec - sec subsystem attributes DESCRIPTION
This reference page lists and describes attributes for the Security (sec) kernel subsystem. Refer to the sys_attrs(5) reference page for an introduction to the topic of kernel subsystem attributes. In the following list, attributes preceded by an asterisk (*) can be modified at run time. Enables (enable) or disables (disable) Access Control List (ACL) access checks and default ACL inheritance on the system. See acl(4) and the Security manual for more information. Default value: disable In a TruCluster environment, the value of this attribute must be the same on all member systems. The size of the audit buffer in 1-KB units. Default value: 16 (kilobytes) Minimum value: 16 Maximum value: 1024 In a TruCluster environment, the value of this attribute must be the same on all member systems. If you are generating your own audit records and the size of these records is close to or greater than the current audit_buffer_size value, increasing this value may improve system performance. The size, in bytes, reserved for the audit site mask. Each byte can support four site-defined events. Default value: 64 (bytes) Minimum value: 1 Maximum value: 1,048,576 In a TruCluster environment, the value of this attribute must be the same on all member systems. The audit subsystem allows sites to define their own audit events (site-defined events). The site-defined events are specified in the /etc/sec/site_events file. Because the number of site-defined events is determined by the customer, the audit_site_events attribute is provided so the customer can specify how much memory the kernel needs to reserve for these events. There is no need to change this value unless there are more than 256 site-defined events. See the Security manual for more information on specifying site-defined events. A value that controls the permission bits of a file with access control lists (ACLs) as seen by an NFS Version 2 client. NFS Version 2 clients make their own file access decisions, based on their interpretation of the file's permission bits. The file permission bits may not accurately specify file access if the file has an ACL. You can specify the following values for the nfs_flatten_mode attribute to better control file access decisions by NFS Version 2 clients: Do not modify file access; send the original file per- mission bits to the NFS Version 2 client. Restrict the file access; modify the "group" and "other" fields of the file permissions so that the permission bits grant only a level of access that is granted in every ACL entry. For example, send permission bits that grant write access only if all ACL entries grant write access. Make file access more permissive; modify the "group" and "other" fields of the file permissions so that the permission bits reflect a level of access that is granted by the combination of ACL entries. For example, if some ACL entries grant read and execute permission and others grant write permission, send permission bits that grant read, write, and execute permission. Default value: 0 In a TruCluster environment, the value of this attribute must be the same on all member systems. See acl(4) for more information. The size limit, in bytes, of property list entries on UFS file systems. Default value: 8192 (bytes) Minimum value: 320 Maximum value: 18,446,744,073,709,551,615 In a TruCluster environment, the value of this attribute must be the same on all member systems. On AdvFS file systems, a property list entry has a hard size limit of 1560 bytes. The ufs_proplist_max_entry attribute facilitates interoperation of UFS and AdvFS property list entries. Set this attribute to 1560 if you want to use all property list entries on your system with both UFS and AdvFS file systems. See proplist(4) for more information about property lists. The ufs_proplist_max_entry attribute interacts with the ufs_sec_proplist_max_entry attribute. The latter is used to configure the size of ACLs on UFS file systems. Because ACLs are stored in property lists, ufs_sec_proplist_max_entry cannot be greater than (ufs_proplist_max_entry - 64) bytes. If ufs_sec_proplist_max_entry is set to exceed this limit, the value of ufs_proplist_max_entry is automatically increased. The size limit, in bytes, of ACLs on UFS file systems. Default value: 1548 (bytes) Minimum value: 256 Maximum value: 18,446,744,073,709,551,551 In a TruCluster environment, the value of this attribute must be the same on all member systems. ACLs are implemented by using property lists. On AdvFS file systems, there is a hard size limit of 1560 bytes for a property list entry. This limit allows 2548 bytes for the ACL data, or a total of 65 entries, plus the three required entries of user::, group::, and other::. Files have only one ACL, an Access ACL. Directories can have up to three ACLs: an Access ACL, a Default ACL, and a Default Directory ACL. The AdvFS limit is placed on each of the three ACLs for a directory, meaning that each can have up to 65 entries. See acl(4) and the Security manual for more information about ACLs. By default, the ufs_sec_proplist_max_entry attribute is set to ensure that the size limit of ACLs on UFS file systems is the same as the size limit of ACLs on AdvFS file systems. This ensures that ACLs on your system can be copied between UFS and AdvFS file sys- tems. It is recommended that you not modify the default setting of ufs_sec_proplist_max_entry unless you have strong need for larger ACLs. The ufs_sec_proplist_max_entry attribute interacts with the ufs_proplist_max_entry attribute. See the description of ufs_pro- plist_max_entry for a description of this relationship. SEE ALSO
Files: acl(4), proplist(4) Others: sys_attrs(5) Security sys_attrs_sec(5)