Monday, August 29, 2011

Access Control Lists (ACLs) in AIX


I have a directory named "/data" and a user called "steve"
To enable the ACL in this directory and add specific permissions to a user, type
# acledit /data
A screen like this will appear:
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
disabled
Using "vi" commands, change the extended permissions to "enabled", and add the specific permissions, like this: attributes: SGID
base permissions
owner(root): rwx
group(system): rwx
others: ---
extended permissions
enabled
permit rwx u:steve
permit r-x g:group
permit rw- u:test
------------------------------------------------
where:
r = read
w = write
x = execute
u= user
g= group
permit: to grant access
After this, save the file (like in "vi" editor).
To list the ACL´s, type
aclget /data
To transfer the ACL permissions from a directory to another, type
aclget /data |aclput /data2
Now we will collect all the acl's permission in an outputfile called as acldefs.
# aclget -o acldefs /data
Edit the file acldefs. and make the necessary changes as you want in the file. After changing the files for necessary ACL permission's save the file as we are going to use this file for our future input values.
Now to put the acl on the other directory / file with as per the changes you made in your file.
# aclput -i acldefs /data3
This will put the acl's on the file with the values specfied in the acldefs file. and now you can play with acl's.
Extended permissions:
AIXC ACL extended permissions allow the owner of a file to more precisely define access to that file. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations. Permissions are modified through the use of keywords.
The permit, deny, and specify keywords are defined as follows:
permit: Grants the user or group the specified access to the file
deny: Restricts the user or group from using the specified access to the file
specify: Precisely defines the file access for the user or group
A user is denied a particular access by either a deny or a specify keyword, no other entry can If override that access denial.
The enabled keyword must be specified in the ACL for the extended permissions to take effect.
The default value is the disabled keyword.
In an AIXC ACL, extended permissions are in the following format:
extended permissions:
enabled | disabled
permit Mode UserInfo...:
deny Mode UserInfo...:
specify Mode UserInfo...:
Use a separate line for each permit, deny, or specify entry. The Mode parameter is expressed as rwx (with a hyphen (-) replacing each unspecified permission). The UserInfo parameter is expressed as u:UserName, or g:GroupName, or a comma-separated combination of u:UserName and g:GroupName.
Note: If more than one user name is specified in an entry, that entry cannot be used in an access control decision because a process has only one user ID.