Solaris Advanced System Administrator's Guide, Second Edition:Understanding System Security

ACL Permissions for Files

You can set the following permissions for UFS files:

• u[ser]::<perm> Sets the permissions for the owner of the file.

• g[roup]::<perm> Sets the permissions for the owner's group.

• o[ther]::<perm> Sets the permissions for users other than the owner or members of the owner's group.

• m[ask]::<perm> Sets the ACL mask. The mask entry indicates the maximum permissions allowed for users other than the owner and for groups. Using the mask is a quick way to change permissions on all of the users and groups. For example, the mask:r-- and mask:4 entry indicates that users and groups cannot have more than read permissions, even though they may have write/execute permissions.

• u[ser]:<UID> | <username>:<perm> Sets the permissions for a specific user.

• g[roup]:<GID> | <groupname>:<perm> Sets the permissions for a specific group.

ACL Permissions for Directories

You can set default ACL entries on a directory that apply to files subsequently created within the directories. Files created in a directory that has default ACL entries will have the same ACL entries as the directory.

When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the owner, owner's group, others, and the mask.

• d[efault]:u[ser]::<perm> Sets the default permissions for the owner of the directory.

• d[efault]:g[roup]::<perm> Sets the default permissions for the owner's group.

• d[efault]:o[ther]::<perm> Sets the default permissions for users other than the owner or members of the owner's group.

• d[efault]:m[ask]::<perm> Sets the default ACL mask.

• d[efault]:u[ser]:<UID>:<perm> Sets the default permissions for a specific user.

• d[efault]:g[roup]:<GID>:<perm> Sets the default permissions for a specific group.

Determining If a File Has an ACL

You can determine if a file has an ACL in one of two ways:

• By using the ls -l command

• By using the getfacl command

When you use the ls -l command, any file that has an ACL displays a plus (+) sign to the right of the mode field.

NOTE: If you define an ACL for a file and do not specify any additional users or groups, the plus sign is not displayed to the right of the mode field even though the file has a basic ACL. The plus sign is displayed only if additional users or groups are included in the ACL.

In the following example, the file foo has an ACL and at least one entry in the list:

castle% ls -l foo
-rwxrw—+  1 winsor  staff      0 Oct 3 14:22 foo
castle

When you use the getfacl <filename> command with no options, the ACL information for the file is displayed in the following format:

# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
mask:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm

The ACL for the file foo in the following example gives the owner of the file rwx permissions and user ray read-only permissions:

castle% getfacl foo

# file: foo
# owner: winsor
# group: staff
user::rwx
user:ray:r—         #effective:r—
group::rw-           #effective:rw-
mask:rw-
other:—
castle%

NOTE: You can use the getfacl command to display permissions on any UFS file or directory in the same format. The file does not need to have an ACL.

For comparison, the following example shows the output of the ls -l and getfacl commands for the file bar, which does not have an ACL.

castle% ls -l bar
-rwxrw—       1 winsor  staff     0 Oct 3 14:22 bar
castle% getfacl bar

# file: bar
# owner: winsor
# group: staff
user::rwx
group::rw-           #effective:rw-
mask:rw-
other:—
castle%

Setting ACL File Permissions

Use the setfacl command to set ACL permissions on a file. You can set the permissions for a file or a group of files from a command line or by listing the permissions in a file and using the file as an argument to the setfacl command. You can specify the permissions with the following syntax:

u[ser]::<perm>
u[ser]:uid:<perm>
g[roup]::<perm>
g[roup]:gid:<perm>
m[ask]:<perm>
o[ther]:<perm>
d[efault]:u[ser]::<perm>
d[efault]:u[ser]:uid:<perm>
d[efault]:g[roup]::<perm>
d[efault]:g[roup]:gid:<perm>
d[efault]:m[ask]:<perm>
d[efault]:o[ther]:<perm>

NOTE: You can use either octal or symbolic values to set permissions.

On a command line, use a comma to separate each permission statement. In an ACL file, put each statement on a separate line. The statements do not need to be in any particular order.

Table of Contents