topic Re: How to create ACLs in Operating System - HP-UX

How to create ACLs

Ralph Grothe — Mon, 03 Feb 2003 09:39:26 GMT

Hello,

I have the requirement to grant access to a certain configuration file to a certain account at a level of finer granularity than what standard Unix file permission modes allow.

Though I could well use sudo to this end I would like to find out how this can be accomplished by ACLs, as I haven't used them before and want to get familiar with this feature of modern Unices.

Despite having read the manpages of "acl", "chacl", "setacl" etc. I yet haven't got a clue how to create an ACL for a file to start with.

As I had to realize setacl() is a system call, but if possible I'd like to avoid having to code something in C first just to get my first ACL.
Or is one expected to create an ACL manually by simply editing a file's ACL-file that includes the special Operator Form syntax mentioned in the manpages?
But then I still haven't found out what this file needs to be named.

I tried these for a test on a left over nohup.out file:

# chacl -Z nohup.out
chacl: file "nohup.out": Function is not available (errno = 251)
# chacl '%.% =' nohup.out
chacl: file "nohup.out": Function is not available (errno = 251)

Hm, looks like something more is still required.

From Linux I remember to have read in some Howto that in order to make your Linux ACL aware the kernel first needs to be patched.

Does the same hold true for the HP-UX kernel (i.e. is the prior installation of some SW or patch required)?
I always thought "grown" Unices such as HP-UX, Solaris, AIX are ACL aware per se.

Rgds.

Ralph

Re: How to create ACLs

Stefan Farrelly — Mon, 03 Feb 2003 09:46:24 GMT

You do it like this;

cd /tmp
touch t
lsacl t
(shows acl values)
chacl "(%.users,rwx)" t
lsacl t
This now shows youve added permissions for the *.users group to rwx to file t.

Re: How to create ACLs

RAC_1 — Mon, 03 Feb 2003 09:47:37 GMT

If I remember correctly you require Online JFS(Online JFs) version 3 and above to support ACLs.

Re: How to create ACLs

Stefan Farrelly — Mon, 03 Feb 2003 09:47:43 GMT

oops, change the cd /tmp to cd /stand (works on hfs).

Re: How to create ACLs

Stefan Farrelly — Mon, 03 Feb 2003 09:50:44 GMT

Nope, doesnt work on 11 or 11i with OnlineJfS or JFS v3.3 installed. I dont think ACL's are supported at all on vxfs, only hfs.

Re: How to create ACLs

melvyn burnard — Mon, 03 Feb 2003 09:52:24 GMT

Well, first question is what file system type are you doing this on?
The standard commands are for HFS file systems only.
If you want to do this on Vxfs file systems, you must be running with JFS 3.3 file systems, and then you use separate commands for these types of ACL's, e.g. getacl is JFS only

Re: How to create ACLs

James Murtagh — Mon, 03 Feb 2003 12:34:16 GMT

Hi Ralph,

If you are using vxfs, it needs to be JFS 3.3 version 4, which is the default on 11i. This is an example:

# pwd
/home/james
# bdf /home|tail -1
/dev/vg00/lvol5 57344 17261 37623 31% /home
# fstyp -v /dev/vg00/lvol5|grep -i vers
version: 4
# ll james.ksh
-r-xr----- 1 james users 31 Dec 31 12:27 james.ksh
# getacl james.ksh
# file: james.ksh
# owner: james
# group: users
user::r-x
group::r--
class:r--
other:---
# setacl -m user:oracle:r-x james.ksh
# getacl james.ksh
# file: james.ksh
# owner: james
# group: users
user::r-x
user:oracle:r-x
group::r--
class:r-x
other:---

Please see the getacl and setacl manpages.

Regards,

James.

Re: How to create ACLs

T G Manikandan — Mon, 03 Feb 2003 12:53:54 GMT

It can only work with JFS version 3.3(minimum level)

Thanks

Re: How to create ACLs

Ralph Grothe — Mon, 03 Feb 2003 12:54:35 GMT

Melvyn,

I'm trying this on an vxfs filesystem.

Didn't know that it should only work on hfs.
Then it'd be of no use for me since only /stand on our boxes uses the "high-performance file system".

How can I find out the version (i.e. release) of vxfs our filesystems are on?

E.g. this is jfs-related software on the box:

# swlist|grep -i jfs
B3929BA B.11.00 HP OnLineJFS (Advanced VxFS)
PHKL_18452 1.0 Invalid I/O sizes from JFS causes hangs
PHKL_18800 1.0 Cumulative JFS patch - panic:dirty inval
PHKL_18801 1.0 Fix for JFS fsadm ENOSPC errors
PHKL_19991 1.0 Fixes mmap & I/O coherency, enables JFS ACLs

Re: How to create ACLs

T G Manikandan — Mon, 03 Feb 2003 12:59:12 GMT

white paper for acl

http://www.docs.hp.com/hpux/onlinedocs/os/jfs_acl.pdf

Re: How to create ACLs

Ralph Grothe — Mon, 03 Feb 2003 13:27:18 GMT

Shoot,
looks my vxfs release isn't prepared for ACLs:

# fstyp -v $(bdf .|awk '$1~/dev/{print $1}')|grep version
version: 3

:-(

Ok, back to sudo...

Re: How to create ACLs

James Murtagh — Mon, 03 Feb 2003 13:37:27 GMT

Hi Ralph,

If you have JFS 3.1 you should be able to upgrade to 3.3 at no extra cost. The following link is from the software recovery handbook written by the German Response Centre Engineers and describes the different versions, how to upgrade etc and is very good.

http://us-support3.external.hp.com/iv/data/documents/DE_SW_UX_swrec_EN_01_E/JFS.pdf

Regards,

James.

Re: How to create ACLs

Greg OBarr — Tue, 04 Feb 2003 13:56:18 GMT

ACLs.... I haven't had to think about ACLs since the old Apollo Domain/OS days.....

Re: How to create ACLs

George Rudman — Thu, 29 May 2003 05:09:11 GMT

Hi guys

I certainly learnt something here ie that I can't use ACL's if I haven't got HFS or OnlineJFS3.3 at least.

My scenario, a client of mine need to give some people read access to files owned by root. ACL's would be perfect, but is now out of the question since they don't have JFS.
Other option would be to copy the file and change the permissions, but that's probably not a good idea since the file can be quite large and waste space (that I don't have!) :-)

What other options do I have to give these certain users access to the required files?

Thank you
George

Re: How to create ACLs

Greg OBarr — Thu, 29 May 2003 12:24:47 GMT

Maybe you could try this:

1) create a new group for this access in /etc/group
2) change group ownership of these files to this new group and change group permissions to r-- on these files
3) add the users to this group who need read access to these files.

Re: How to create ACLs

George Rudman — Fri, 30 May 2003 06:50:30 GMT

Hi
I played around with this idea and came up with the following.

Take the following file:
-rwxr-x--- 1 root mail 314 Dec 21 2001 filename
In this case only root and users in the "mail" group have read access to the file. Now I create a separate group, say "test", and add all the users currently in the "mail" group to it as their secondary group as well as add the id's of people you require to have access on a secondary level.

Thus the file would look like this :
-rwxr-xr-- 1 root test 314 Dec 21 2001 filename

Now, all previous users from the "mail" group(which are only root) still have their original access plus the additional users also have that same access.
The problem here is that the additional users now have read and write access where we originally needed only read access. The only solution here is to change the group permission to read only access to look like this :
-rwxr--r-- 1 root test 314 Dec 21 2001 filename

The most system groups only includes root as a member, so by changing this group permission will have no impact since root is the owner and still have full access.

To conclude, I can only implement this solution where we can change the permissions to read only for the group without decreasing the normal users' permission in the current group (ie "mail" in my example). In this example only root is in the "mail" group so this can be done, but once there are other id's in the group as well I cannot change the group permission, because this will affectively decrease their permissions which can lead to other problems.

Thanks for the feedback.
George