https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452151#M661663 I have a question about implementing daily file permission review scripts and would be very grateful if someone could help me out.<BR /><BR />I have file permissions assigned using ACL's in the following format:<BR />getacl is used.<BR /># file: filename<BR /># owner: uid<BR /># group: gid<BR />user::perm<BR />user:uid:perm<BR />group::perm<BR />group:gid:perm<BR />class:perm<BR />other:perm<BR />default:user::perm<BR />default:user:uid:perm<BR />default:group::perm<BR />default:group:gid:perm<BR />default:class:perm<BR />default:other:perm<BR /><BR />How can I look for the below<BR />1. Unowned files/directories (nouser) and unowned (nogroup) files/directories with detailed permissions and path listing. I guess this should also have to check the extended ACL entries such as "group:nogroup and default:group:nogroup" along with owner-nogroup as well as owner-nouser. I am aware of how this can be done on traditional non acl systems. I am seeking some assistance on how this can be done on systems with ACL's implemented.<BR />2. Permissions over files/directories that certain specific groups have. For example, if the group "staff" has a "default:group:staff:rwx" or "group:staff:rwx" or "owner group - staff" assigned in the ACL, I would like to check their permissions on a daily basis with their complete path &amp; permissions listing. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.<BR />3. Output of world writable directories and files. For example, if "other:-w- or other:rw- or other:rwx" is present or ""default:other:-w- or default:other:rw- or default:other:rwx" is present, I would like to check review their permissions on a daily basis. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.<BR /><BR />I hope I have thought of all the possible combinations. Please let me know if you think I may have missed of any.<BR /><BR /><BR /> Thu, 02 Jul 2009 17:24:22 GMT jjoseph8008 2009-07-02T17:24:22Z https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452151#M661663 I have a question about implementing daily file permission review scripts and would be very grateful if someone could help me out.<BR /><BR />I have file permissions assigned using ACL's in the following format:<BR />getacl is used.<BR /># file: filename<BR /># owner: uid<BR /># group: gid<BR />user::perm<BR />user:uid:perm<BR />group::perm<BR />group:gid:perm<BR />class:perm<BR />other:perm<BR />default:user::perm<BR />default:user:uid:perm<BR />default:group::perm<BR />default:group:gid:perm<BR />default:class:perm<BR />default:other:perm<BR /><BR />How can I look for the below<BR />1. Unowned files/directories (nouser) and unowned (nogroup) files/directories with detailed permissions and path listing. I guess this should also have to check the extended ACL entries such as "group:nogroup and default:group:nogroup" along with owner-nogroup as well as owner-nouser. I am aware of how this can be done on traditional non acl systems. I am seeking some assistance on how this can be done on systems with ACL's implemented.<BR />2. Permissions over files/directories that certain specific groups have. For example, if the group "staff" has a "default:group:staff:rwx" or "group:staff:rwx" or "owner group - staff" assigned in the ACL, I would like to check their permissions on a daily basis with their complete path &amp; permissions listing. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.<BR />3. Output of world writable directories and files. For example, if "other:-w- or other:rw- or other:rwx" is present or ""default:other:-w- or default:other:rw- or default:other:rwx" is present, I would like to check review their permissions on a daily basis. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.<BR /><BR />I hope I have thought of all the possible combinations. Please let me know if you think I may have missed of any.<BR /><BR /><BR /> Thu, 02 Jul 2009 17:24:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452151#M661663 jjoseph8008 2009-07-02T17:24:22Z https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452152#M661664 Shalom,<BR /><BR />I recommend a test plan.<BR /><BR />Take some time, devise tests to test this configurations possibilities, including expected results.<BR /><BR />Run the tests and if you get expected results you are done. If not, keep trying.<BR /><BR />Asking here is no substitute for doing your own quality assurance testing.<BR /><BR />I amd not a big fan of ACL, though acknowledge its usefulness, and will let other judge your configuration. <BR /><BR />I strongly recommend the test plan.<BR /><BR />SEP Thu, 02 Jul 2009 17:49:00 GMT https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452152#M661664 Steven E. Protter 2009-07-02T17:49:00Z https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452153#M661665 Thanks for your suggestion. Testing is definitely going to be done. However, I am having problems even figuring out how to query for groups that may be listed within the ACL. Thu, 02 Jul 2009 19:40:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/acl/m-p/4452153#M661665 jjoseph8008 2009-07-02T19:40:51Z