Your Ad Here

IBM AIX/UNIX system storage administration ksh/perl scripting

Tuesday, March 16, 2010

How to Apply ACL to New Files Automatically




 Technote (FAQ)
Question
How can I set up a directory that will automatically apply ACLs (Access Control Lists)?

Answer
Using an ACL is a way to set restrictions on the use of a file beyond the standard AIX or Unix discretionary access control. These can be set on an individual or group basis, and rights can be given or taken away as needed.
The concept of having a directory with ACLs on it, and then automatically applying those ACLs to any files created in that directory is called inheritance. AIX ACLs do not support inheritance, but NFSV4 ACLs do. NFSV4 ACL is platform-independent, so it can be supported on many clients or servers.

Most filesystem types in AIX do not support NFSV4 ACLs. CFS, UDF, JFS, and JFS2 with extended attribute version 1 (EAv1) do not support these. However JFS2 filesystems using EAv2 do, so they can be used for this purpose.



1. Use a JFS2 filesystem

If you have an existing JFS2 filesystem that can be used, or create one if you do not have one already

# crfs -v jfs2 -g datavg -m /myfs -A yes -a size=2G


2. Change the filesystem to use Extended Attributes Version 2

# chfs -a ea=v2 /myfs


3. Create a directory, or identify an existing directory

# cd /myfs
# mkdir newdir


4. Convert the directory to use NFS4 ACLs:

# aclconvert -t NFS4 newdir


5. Edit the ACL

# export EDITOR=/usr/bin/vi
# acledit newdir


You should see this in the file:

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo


To allow inheritance for all files and directories underneath this dir, add the strings "fi" (for files) and "di" (for directories) to any ACLs you create. Those ACLs will be propagated to each file created from now on.

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo


Create a file in your directory and check the ACL list on it:

# cd newdir
# touch newfile
# aclget newfile

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi


Labels

BlogCatalog