HPE Community
Operating System - HP-UX
1832908 Members
3735 Online
110048 Solutions
New Discussion

ACL

 
jjoseph8008
Occasional Contributor

‎07-02-2009 10:24 AM

‎07-02-2009 10:24 AM

ACL

I have a question about implementing daily file permission review scripts and would be very grateful if someone could help me out.

I have file permissions assigned using ACL's in the following format:
getacl is used.
# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
class:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm
default:class:perm
default:other:perm

How can I look for the below
1. Unowned files/directories (nouser) and unowned (nogroup) files/directories with detailed permissions and path listing. I guess this should also have to check the extended ACL entries such as "group:nogroup and default:group:nogroup" along with owner-nogroup as well as owner-nouser. I am aware of how this can be done on traditional non acl systems. I am seeking some assistance on how this can be done on systems with ACL's implemented.
2. Permissions over files/directories that certain specific groups have. For example, if the group "staff" has a "default:group:staff:rwx" or "group:staff:rwx" or "owner group - staff" assigned in the ACL, I would like to check their permissions on a daily basis with their complete path & permissions listing. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.
3. Output of world writable directories and files. For example, if "other:-w- or other:rw- or other:rwx" is present or ""default:other:-w- or default:other:rw- or default:other:rwx" is present, I would like to check review their permissions on a daily basis. Again, I am seeking some assistance on how this can be done on systems with ACL's implemented.

I hope I have thought of all the possible combinations. Please let me know if you think I may have missed of any.


0 Kudos
Reply
2 REPLIES 2
Steven E. Protter
Exalted Contributor

‎07-02-2009 10:49 AM

‎07-02-2009 10:49 AM

Re: ACL

Shalom,

I recommend a test plan.

Take some time, devise tests to test this configurations possibilities, including expected results.

Run the tests and if you get expected results you are done. If not, keep trying.

Asking here is no substitute for doing your own quality assurance testing.

I amd not a big fan of ACL, though acknowledge its usefulness, and will let other judge your configuration.

I strongly recommend the test plan.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
jjoseph8008
Occasional Contributor

‎07-02-2009 12:40 PM

‎07-02-2009 12:40 PM

Re: ACL

Thanks for your suggestion. Testing is definitely going to be done. However, I am having problems even figuring out how to query for groups that may be listed within the ACL.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.