Solved

UNIX ACL Input

Posted on 2013-01-16
9
461 Views
Last Modified: 2013-01-18
On AIX I run:

aclput -i /apps/lib/acl/acl_b20 /apps/retained/b20

The first part directory in the command is the ACL file and the second is the directory I want to set the ACL against.

Is there a way to do this on Linux (CentOS or Red Hat)? Linux uses setfacl and I'm having trouble figuring how to do a similar aclput on AIX on CentOS.
0
Comment
Question by:AIX25
  • 4
  • 4
9 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 38786051
You are looking for setfacl command or some other seen by typing:

man -k acl
0
 

Author Comment

by:AIX25
ID: 38786124
I know it would be with setfacl command, but if you read my question, I need to run it similar fashion to:

aclput -i /apps/lib/acl/acl_b20 /apps/retained/b20 on AIX.

Are you familiar with this on AIX? If yes, what is the command on Red Hat for this?
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 38786166
Try

setfacl --set-file=/apps/lib/acl/acl_b20 /apps/retained/b20
0
 

Author Comment

by:AIX25
ID: 38786213
That worked! But I have something different showing up in the getfacl output for b20:

What does the #effective:r-- next the the user:userA:rw- mean?

Here is how it looks in the getfacl output:

# file: test
# owner: root
# group: root
user::rwx
user:userA:rw-         #effective:r--
group ....etc
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38786238
Do you have an effective rights mask?

Look for a line starting with "mask" in the getfacl output.
This mask overrides the user setting.
0
 

Author Comment

by:AIX25
ID: 38786242
Ok, I do have a mask setting. I must take out the mask line for it to pick up the intended permissions??
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 500 total points
ID: 38786262
I assume your mask is "r--".

There must have been some reason setting it this way (?)

Only rights contained in the mask will become effective.

If you want to forego using this feature remove the mask.
0
 

Author Comment

by:AIX25
ID: 38795113
One issue pertaining to this question...

Not sure if you have ran into this or can test it. But are there any conflicts with ACLs?

Meaning... if the Group permissions on the file are rwx, but the ACL has a Group permissions of r--, which permissions will be used?

also why do I have a + at the end of my permissions?

drwxrwx---+ root root 4096 Jan 17 22:03 test

And, my acl file does not have a mask setting in it, but when I run a getfacl on test, it shows a mask. Everything looks good, but that...how can I get rid of the mask?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38795239
Base ACL permissions and Unix permissions (which are shown with ls -l) cannot differ. They will always be the same.

The extended ACLs normally define permissions for users and groups other than the owning ones.

In case you defined an extended ACL permission for the owning user/group in addition to the base permission the extended ACL permission takes precedence:
"permit" directives will be added to the base permissions, "deny" directives will be taken away from them (this is not seen with ls -l!)

For AIX only:

The above is true for ACLs of type "AIXC". ACLs of type "NFS4" are a lot more complicated to explain (and to handle).
Please let me know if you need assistance with ACLs of that type.

The "+" indicates the presence of extended ACLs for the respective file/directory.

As for the mask: If you didn't specify one explicitly and always forbid recalculating (see below) then the mask is just a union of all permissions of the owning group, and all named user and group entries.
Every "setfacl" execution will recalculate the mask, unless explicitly forbidden by the "-n" flag.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now