cancel
Showing results for 
Search instead for 
Did you mean: 

ACL

jjoseph8008
Occasional Contributor

ACL

I have a question about implementing daily file permission review scripts and would be very grateful if someone could help me out.

I have file permissions assigned using ACL's in the following format:
getacl is used.
# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
class:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm
default:class:perm
default:other:perm

How can I look for the below
1. Unowned files/directories (nouser) and unowned (nogroup) files/directories with detailed permissions and path listing. I guess this should also have to check the extended ACL entries such as "group:nogroup and default:group:nogroup" along with owner-nogroup as well as owner-nouser. I am aware of how this can be done on traditional non acl systems. I am seeking some assistance on how this can be done on systems with ACL's implemented.
2. Permissions over files/directories that certain specific groups have. For example, if the group "staff" has a "default:group:staff:rwx" or "group:staff:rwx" or "owner group - staff" assigned in the ACL, I would like to check their permissions on a daily basis with their complete path & permissions listing. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.
3. Output of world writable directories and files. For example, if "other:-w- or other:rw- or other:rwx" is present or ""default:other:-w- or default:other:rw- or default:other:rwx" is present, I would like to check review their permissions on a daily basis. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.

I hope I have thought of all the possible combinations. Please let me know if you think I may have missed of any.


2 REPLIES
Steven E. Protter
Exalted Contributor

Re: ACL

Shalom,

I recommend a test plan.

Take some time, devise tests to test this configurations possibilities, including expected results.

Run the tests and if you get expected results you are done. If not, keep trying.

Asking here is no substitute for doing your own quality assurance testing.

I amd not a big fan of ACL, though acknowledge its usefulness, and will let other judge your configuration.

I strongly recommend the test plan.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
jjoseph8008
Occasional Contributor

Re: ACL

Thanks for your suggestion. Testing is definitely going to be done. However, I am having problems even figuring out how to query for groups that may be listed within the ACL.