ACL allows to set more finer permissions on a file or directory apart from the standard permissions(uog)
POSIX ACL's use setfacl and getfacl functions to set ACL permissions. POSIX style ACL doesn't work on ZFS filesystem.
NFSv4 style ACL is an upgrade over the old model and use chmod to set permissions. getfacl and setfacl are obsolete in ZFS. This provides more finer permissions including permission only to append on a file.
NFSv4 style ACL's are set on the directories
==================================================
zone1:/root# ls -lv /opt/slw/bea/app/ines/bulk
total 161
drwxrwxrwx+ 2 myuser slw 108 Oct 21 17:07 error
0:everyone@:delete_child/write_attributes/write_acl:deny
1:group@:delete_child/write_attributes/write_acl:deny
2:group@:read_attributes/read_acl/synchronize:allow
3:group@:write_attributes/write_acl:deny
4:user:slw9:write_attributes/write_acl:deny
5:user:slw9::deny
6:user:slw9:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/execute/delete_child/read_attributes
/read_acl/synchronize:allow
7:user:slw9:write_attributes/write_acl:deny
8:user:slw:write_attributes/write_acl:deny
9:user:slw::deny
10:user:slw:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute/delete_child/read_attributes/read_acl
/synchronize:allow
11:user:slw:write_attributes/write_acl:deny
12:owner@::deny
13:owner@:delete_child/read_attributes/write_attributes/read_acl
/write_acl/synchronize:allow
14:everyone@:read_attributes/read_acl/synchronize:allow
15:owner@::deny
16:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
17:group@::deny
18:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
19:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny
20:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
drwxrwxrwx+ 2 myuser slw 8 Jan 25 13:39 input
0:group:slw:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data:allow
1:everyone@:delete_child/write_attributes/write_acl:deny
2:group@:delete_child/write_attributes/write_acl:deny
3:group@:read_attributes/read_acl/synchronize:allow
4:group@:write_attributes/write_acl:deny
5:user:slw9:write_attributes/write_acl:deny
6:user:slw9::deny
7:user:slw9:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/execute/delete_child/read_attributes
/read_acl/synchronize:allow
8:user:slw9:write_attributes/write_acl:deny
9:user:slw:write_attributes/write_acl:deny
10:user:slw::deny
11:user:slw:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute/delete_child/read_attributes/read_acl
/synchronize:allow
12:user:slw:write_attributes/write_acl:deny
13:owner@::deny
14:owner@:delete_child/read_attributes/write_attributes/read_acl
/write_acl/synchronize:allow
15:everyone@:read_attributes/read_acl/synchronize:allow
16:owner@::deny
17:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
18:group@::deny
19:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
20:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny
21:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
drwxrwxr-x+ 2 myuser slw 3 Jan 26 11:00 processing
<..........>
As with standard ACL, the '+' sign implies that ACL permissions are set on the directories
==============================================================================
zone1:/root# cd /opt/slw/bea/app/ines/bulk
zone1:/opt/slw/bea/app/ines/bulk# ls -l
total 161
drwxrwxrwx+ 2 myuser slw 108 Oct 21 17:07 error
drwxrwxrwx+ 2 myuser slw 8 Jan 25 13:39 input
drwxrwxr-x+ 2 myuser slw 3 Jan 26 11:00 processing
drwxrwxrwx+ 2 myuser slw 2 Jul 20 2010 retry
drwxrwxrwx+ 2 myuser slw 145 Oct 21 17:02 success
Adding an ACL entry onto a directory
============================================================
zone1:/opt/slw/bea/app/ines/bulk# mkdir TEST
zone1:/opt/slw/bea/app/ines/bulk#
zone1:/opt/slw/bea/app/ines/bulk# chown myuser:slw TEST
zone1:/opt/slw/bea/app/ines/bulk#
zone1:/opt/slw/bea/app/ines/bulk#
zone1:/opt/slw/bea/app/ines/bulk# ls -l
total 164
drwxr-xr-x 2 myuser slw 2 Jan 26 11:32 TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod
A02=owner@:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow TEST
zone1:/opt/slw/bea/app/ines/bulk# ls -dv TEST
drwxr-xr-x+ 2 myuser slw 2 Jan 26 11:32 TEST
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
zone1:/opt/slw/bea/app/ines/bulk# chmod
A6=user:slw9:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/execute/delete_child/read_attributes/read_acl/synchronize:allow TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod A7=user:slw9:write_attributes/write_acl:deny TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod A8=user:slw:write_attributes/write_acl:deny TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod A9=user:slw::deny TEST
zone1:/opt/slw/bea/app/ines/bulk#
zone1:/opt/slw/bea/app/ines/bulk# ls -dv TEST
dr-xr-xr-x+ 2 myuser slw 2 Jan 26 11:32 TEST
0:everyone@:delete_child/write_attributes/write_acl:deny
1:group@:delete_child/write_attributes/write_acl:deny
2:group@:read_attributes/read_acl/synchronize:allow
3:group@:write_attributes/write_acl:deny
4:user:slw9:write_attributes/write_acl:deny
5:user:slw9::deny
6:user:slw9:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/execute/delete_child/read_attributes
/read_acl/synchronize:allow
7:user:slw9:write_attributes/write_acl:deny
8:user:slw:write_attributes/write_acl:deny
9:user:slw::deny
10:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
11:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Removing the ACL entry set on a directory
=====================================================
zone1:/opt/slw/bea/app/ines/bulk# chmod A9- TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod A8- TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod A7- TEST
zone1:/opt/slw/bea/app/ines/bulk# chmod A6- TEST
zone1:/opt/slw/bea/app/ines/bulk#
zone1:/opt/slw/bea/app/ines/bulk# ls -dv TEST
drwxrwxr-x 2 myuser slw 2 Jan 26 11:32 TEST
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
=====================================================
Removing the ACL's one by one
=====================================================
zone2:/opt/slw/bea/app/ines/bulk# ls -dv retry
drwxrwxrwx+ 2 myuser slw 2 Jul 8 2010 retry
0:group:slw:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data:allow
1:everyone@:delete_child/write_attributes/write_acl:deny
2:everyone@:read_attributes/read_acl/synchronize:allow
3:group@:delete_child/write_attributes/write_acl:deny
4:group@:read_attributes/read_acl/synchronize:allow
5:group@:write_attributes/write_acl:deny
6:user:slw9:write_attributes/write_acl:deny
7:user:slw9::deny
8:user:slw9:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/execute/delete_child/read_attributes
/read_acl/synchronize:allow
9:user:slw9:write_attributes/write_acl:deny
10:user:slw:write_attributes/write_acl:deny
11:user:slw::deny
12:user:slw:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute/delete_child/read_attributes/read_acl
/synchronize:allow
13:user:slw:write_attributes/write_acl:deny
14:owner@::deny
15:owner@:delete_child/read_attributes/write_attributes/read_acl
/write_acl/synchronize:allow
16:owner@::deny
17:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
18:group@::deny
19:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
20:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny
21:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
zone2:/opt/slw/bea/app/ines/bulk#
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# chmod A0- retry
zone2:/opt/slw/bea/app/ines/bulk# ls -dv retry
drwxrwxrwx 2 myuser slw 2 Jul 8 2010 retry
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
4:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
zone2:/opt/slw/bea/app/ines/bulk# chmod 775 retry
zone2:/opt/slw/bea/app/ines/bulk# ls -dv retry
drwxrwxr-x 2 myuser slw 2 Jul 8 2010 retry
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
zone2:/opt/slw/bea/app/ines/bulk# ls -l
total 251
drwxrwxr-x 2 myuser slw 152 Jan 21 09:30 error
drwxrwxrwx+ 2 myuser slw 152 Jan 21 09:30 error.old
drwxrwxr-x 2 myuser slw 2 Jan 21 09:30 input
drwxrwxr-x+ 2 myuser slw 2 Jan 21 09:30 input.old
drwxrwxrwx+ 2 myuser slw 2 Jan 21 09:30 processing
drwxrwxr-x 2 myuser slw 2 Jul 8 2010 retry
drwxrwxrwx+ 2 myuser slw 200 Jan 20 16:08 success
No comments:
Post a Comment