Solaris implements ACLs (Access Control Lists), which give users much more
flexibility to share files, than what the standard UNIX permissions offer. ACLs
are viewed with ls -v command, and set and manipulated with chmod A.... The
man pages of these commands explain the details.
The ZFS file system uses a pure ACL model which is compliant with the NFSv4 ACL model. This means that all files always have an ACL, and their permission bits (rwx) are derived from the file’s ACL. There is a long list of permissions that go beyond the traditional read, write, execute from UFS ACLs:
| Permission | Description |
|---|---|
| read_data | Permission to read the data of the file |
| list_data | Permission to list the contents of a directory |
| write_data | Permission to modify the file’s data anywhere in the file’s offset range. This includes the ability to grow the file or write to an arbitrary offset. |
| add_file | Permission to add a new file to a directory |
| append_data | The ability to modify the data, but only starting at EOF. |
| add_subdirectory | Permission to create a subdirectory to a directory |
| read_xattr | The ability to read the extended attributes of a file or to do a lookup in the extended attributes directory. |
| write_xattr | The ability to create extended attributes or write to the extended attributes directory. |
| execute | Permission to execute a file |
| delete_child | Permission to delete a file within a directory |
| read_attributes | The ability to read basic attributes (non-ACLs) of a file. Basic attributes are considered the stat(2) level attributes. |
| write_attributes | Permission to change the times associated with a file or directory to an arbitrary value |
| delete | Permission to delete a file |
| read_acl | Permission to read the ACL |
| write_acl | Permission to write a file’s ACL |
| write_owner | Permission to change the owner or the ability to execute chown(1) or chgrp(1) |
| synchronize | Permission to access a file locally at the server with synchronous reads and writes. |
Borrowed from Mark Shellenbaum’s Blog
All operations use the standard ls and chmod to modify and view ACLs, but
use some extra command line operations. Real the man pages for ls and chmod for
more detailed information than what we provide here.
To view ACLs on a file, use the ls -v:
catbert[46] [~/]> ls -v test
-rw-r----- 1 parrott parrott 0 Jan 18 15:36 test
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
Now let’s give permissions to beesam to read the file, even though the UNIX permissions restrict ‘other’ access (rw-r-–|–):
catbert[47] [~/]> chmod A+user:beesam:read_data:allow test
catbert[48] [~/]> ls -v test
-rw-r-----+ 1 parrott parrott 0 Jan 18 15:36 test
0:user:beesam:read_data:allow
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
6:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
Now, beesam can read the file, I can read and write the file (as the UNIX owner), members of the ‘parrott’ group have read permission, and everyone else has no permission.
We can also add write_data permissions for beesam:
catbert[49] [~/]> chmod A+user:beesam:write_data:allow test
catbert[50] [~/]> ls -v test
-rw-r-----+ 1 parrott parrott 0 Jan 18 15:36 test
0:user:beesam:write_data:allow
1:user:beesam:read_data:allow
2:owner@:execute:deny
3:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
4:group@:write_data/append_data/execute:deny
5:group@:read_data:allow
6:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
7:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
I can remove certain attributes by using the Aindex- flag:
catbert[53] [~/]> chmod A1- test
catbert[54] [~/]> ls -v test
-rw-r-----+ 1 parrott parrott 0 Jan 18 15:36 test
0:user:beesam:write_data:allow
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
6:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
I can remove all extra ACLs by typing chmod A- test:
catbert[55] [~/]> chmod A- test
catbert[56] [~/]> ls -v test
-rw-r----- 1 parrott parrott 0 Jan 18 15:36 test
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
It should be noted that you can also use shortcuts in ZFS ACLs instead of writing out the full permission descriptions. The following will also work to give rwx access to parrott:
catbert[57] [~/]> chmod A+user:parrott:rwx:allow test
You can see how powerful ACLs are. If you have any questions, please read the man pages of the commands used above. There are also a bunch of help tutorials on ACLs on ZFS filesystems accessible through Google searches.
There is a long blog entry at http://cuddletech.com/blog/pivot/entry.php?id=939 which has several good things on ACLs.
ECE/CIS • University of Delaware — All Rights Reserved • Newark, DE 19716 • USA • 2015 • Website by AndrĂ© Rauh • Maintained by Labstaff
Comments • Contact Us • Accessibility Notice • Legal Notices