HPE Community
Operating System - HP-UX
1833780 Members
2572 Online
110063 Solutions
New Discussion

Re: ACL conversion from TRU64 to HPUX 11.23

 
drwalk
Occasional Advisor

‎02-08-2006 12:46 PM

‎02-08-2006 12:46 PM

ACL conversion from TRU64 to HPUX 11.23

I am about to embark on a TRU64 -> HPUX 11.23 system migration and have found that ACL's (JFS) work very differently between the 2 OS's. We use ACLs to grant explicit file access privileges to explicit users. In TRU64 an ACL overrides any file bit permissions or umask settings but in HPUX 11.23 there is the concept of class ACLs which lead to effective ACLs being set, all of which are effected by chmod and umasks.

Maybe the best way to explain this is by example. I have a umask of 037. I have a directory with perms 750 owned by userA. I have a very data sensitivie file called file1 within this directory, with perms of 640, and owned by userA. UserB needs read/write access to this file, and is not a member of the group attached to userA or file1. How would you set this up with out altering file1's permissions of 640.

Dwight
0 Kudos
Reply
11 REPLIES 11
Peter Godron
Honored Contributor

‎02-14-2006 11:07 PM

‎02-14-2006 11:07 PM

Re: ACL conversion from TRU64 to HPUX 11.23

Dwight,
in your example the steps would be:
1. give userB execute acl to directory
setacl -m user:userB:x-- directory-name
UserB needs this execute to be able to see the file1 within
2. give userB read-only access to file1
setacl -m user:userB:r-- file1

If userB now goes to the directory and tries for example ls, they don't even get a listing, but a vi file1 should come up as read-only.
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-16-2006 10:21 PM

‎02-16-2006 10:21 PM

Re: ACL conversion from TRU64 to HPUX 11.23

Dwight,
any update/feedback?
0 Kudos
Reply
drwalk
Occasional Advisor

‎02-19-2006 09:14 AM

‎02-19-2006 09:14 AM

Re: ACL conversion from TRU64 to HPUX 11.23

Sorry for the late response, I seem to be continually getting a service not available at this time message on this forum site.

Your response is fine for read only permission. Where I fall down is when I add an rw- ACL to userB because of the class ACL being 640. This forces an effective ACL of r-- for userB.

In words, I need userB to have read/write access to a limited set of userA's files, where userB is not a member of the group associated with userA's files. How can I do this?

The fact that chmod also disturbs the effective ACL is also a concern, as we come from the world where an ACL rules, and a "lesser" chmod can not change an ACL.

Dwight

0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-19-2006 08:06 PM

‎02-19-2006 08:06 PM

Re: ACL conversion from TRU64 to HPUX 11.23

Dwight,
I tested this on my machine 11.11 and it seems to work.

I create usera and userb in different groups.
Then I used usera to create /tmp/test and a file "file1" within the /tmp/test dir.
I set the prtection as you speced and then set the ACL as usera:
setacl -m user:userb:x-- /tmp/test
cd /tmp/test
setacl -m user:userb:rw- file1

I can now read/write file1.
0 Kudos
Reply
drwalk
Occasional Advisor

‎02-20-2006 09:08 AM

‎02-20-2006 09:08 AM

Re: ACL conversion from TRU64 to HPUX 11.23

I don't have access to an HPUX system right now, but I can get access to a system at HP.

We are going to be using HPUX 11.23, so maybe things are different to 11.11. What is your umask? Somewhere I have read a one line statement that suggested that the effective ACL is a convergence of the umask, the permission bits and the class ACL.

I recorded this getacl output from this test the last time I was at HP.

# file: /home/userA/dir1/file2
# owner: root
# group: sys
user::rw-
user:userB:rw- #effective:r--
group::r--
class:r--
other:---

Dwight
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-20-2006 08:15 PM

‎02-20-2006 08:15 PM

Re: ACL conversion from TRU64 to HPUX 11.23

Dwight,
getacl on /tmp/test/file1 gives:
# getacl file1
# file: file1
# owner: usera
# group: group1
user::rw-
user:userb:rw-
group::r--
class:rw-
other:---
#
0 Kudos
Reply
drwalk
Occasional Advisor

‎02-21-2006 09:13 AM

‎02-21-2006 09:13 AM

Re: ACL conversion from TRU64 to HPUX 11.23

Well, I'll be ....

Your class ACL is rw-- where as mine was r--.
Can you do this again with a umask of 037?

Thanks

Dwight
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-22-2006 11:34 PM

‎02-22-2006 11:34 PM

Re: ACL conversion from TRU64 to HPUX 11.23

Dwight,

setup for users:
/etc/passwd:
usera:Urswm5RjYOTfI:110:105:,,,:/home/usera:/usr/bin/sh
userb:mrUccjy3IQaYo:111:106:,,,:/home/userb:/usr/bin/sh

/etc/groups
group1::105:
group2::106:

I have attached script (please amend usernames as required)
Run the script as usera, then log in as userb, cd to /tmp/test and vi file1 and file2
0 Kudos
Reply
Peter Godron
Honored Contributor

‎02-27-2006 10:00 PM

‎02-27-2006 10:00 PM

Re: ACL conversion from TRU64 to HPUX 11.23

Dwight,
any luck with this? Any updates?
0 Kudos
Reply
drwalk
Occasional Advisor

‎02-28-2006 08:58 AM

‎02-28-2006 08:58 AM

Re: ACL conversion from TRU64 to HPUX 11.23

I'm waiting on HP. I have tried to download your script put the link to it seems to be broken. Can you check it out? Is your umask 037?

Dwight
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎02-28-2006 12:05 PM

‎02-28-2006 12:05 PM

Re: ACL conversion from TRU64 to HPUX 11.23

As I'm no HP employee and still a person with an opinion, let me see if I may put this down to my opinion:

HP-UX is ages from Tru64's security features / TCB/ACL implementation. Sorry.

Please do not trust ACLs for it, work around it.

(Now flame me, friends.)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.