HPE Community
Operating System - HP-UX
1834936 Members
2305 Online
110071 Solutions
New Discussion

How to create ACLs

 
SOLVED
Go to solution
Ralph Grothe
Honored Contributor

‎02-03-2003 01:39 AM

‎02-03-2003 01:39 AM

How to create ACLs

Hello,

I have the requirement to grant access to a certain configuration file to a certain account at a level of finer granularity than what standard Unix file permission modes allow.

Though I could well use sudo to this end I would like to find out how this can be accomplished by ACLs, as I haven't used them before and want to get familiar with this feature of modern Unices.

Despite having read the manpages of "acl", "chacl", "setacl" etc. I yet haven't got a clue how to create an ACL for a file to start with.

As I had to realize setacl() is a system call, but if possible I'd like to avoid having to code something in C first just to get my first ACL.
Or is one expected to create an ACL manually by simply editing a file's ACL-file that includes the special Operator Form syntax mentioned in the manpages?
But then I still haven't found out what this file needs to be named.

I tried these for a test on a left over nohup.out file:

# chacl -Z nohup.out
chacl: file "nohup.out": Function is not available (errno = 251)
# chacl '%.% =' nohup.out
chacl: file "nohup.out": Function is not available (errno = 251)

Hm, looks like something more is still required.

From Linux I remember to have read in some Howto that in order to make your Linux ACL aware the kernel first needs to be patched.

Does the same hold true for the HP-UX kernel (i.e. is the prior installation of some SW or patch required)?
I always thought "grown" Unices such as HP-UX, Solaris, AIX are ACL aware per se.


Rgds.

Ralph
Madness, thy name is system administration
0 Kudos
Reply
15 REPLIES 15
Stefan Farrelly
Honored Contributor

‎02-03-2003 01:46 AM

‎02-03-2003 01:46 AM

Re: How to create ACLs

You do it like this;

cd /tmp
touch t
lsacl t
(shows acl values)
chacl "(%.users,rwx)" t
lsacl t
This now shows youve added permissions for the *.users group to rwx to file t.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
RAC_1
Honored Contributor

‎02-03-2003 01:47 AM

‎02-03-2003 01:47 AM

Re: How to create ACLs

If I remember correctly you require Online JFS(Online JFs) version 3 and above to support ACLs.
There is no substitute to HARDWORK
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎02-03-2003 01:47 AM

‎02-03-2003 01:47 AM

Re: How to create ACLs

oops, change the cd /tmp to cd /stand (works on hfs).
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎02-03-2003 01:50 AM

‎02-03-2003 01:50 AM

Re: How to create ACLs

Nope, doesnt work on 11 or 11i with OnlineJfS or JFS v3.3 installed. I dont think ACL's are supported at all on vxfs, only hfs.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
melvyn burnard
Honored Contributor

‎02-03-2003 01:52 AM

‎02-03-2003 01:52 AM

Solution

Re: How to create ACLs

Well, first question is what file system type are you doing this on?
The standard commands are for HFS file systems only.
If you want to do this on Vxfs file systems, you must be running with JFS 3.3 file systems, and then you use separate commands for these types of ACL's, e.g. getacl is JFS only
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
Reply
James Murtagh
Honored Contributor

‎02-03-2003 04:34 AM

‎02-03-2003 04:34 AM

Re: How to create ACLs

Hi Ralph,

If you are using vxfs, it needs to be JFS 3.3 version 4, which is the default on 11i. This is an example:

# pwd
/home/james
# bdf /home|tail -1
/dev/vg00/lvol5 57344 17261 37623 31% /home
# fstyp -v /dev/vg00/lvol5|grep -i vers
version: 4
# ll james.ksh
-r-xr----- 1 james users 31 Dec 31 12:27 james.ksh
# getacl james.ksh
# file: james.ksh
# owner: james
# group: users
user::r-x
group::r--
class:r--
other:---
# setacl -m user:oracle:r-x james.ksh
# getacl james.ksh
# file: james.ksh
# owner: james
# group: users
user::r-x
user:oracle:r-x
group::r--
class:r-x
other:---

Please see the getacl and setacl manpages.

Regards,

James.
Reply
T G Manikandan
Honored Contributor

‎02-03-2003 04:53 AM

‎02-03-2003 04:53 AM

Re: How to create ACLs

It can only work with JFS version 3.3(minimum level)

Thanks

Reply
Ralph Grothe
Honored Contributor

‎02-03-2003 04:54 AM

‎02-03-2003 04:54 AM

Re: How to create ACLs

Melvyn,

I'm trying this on an vxfs filesystem.

Didn't know that it should only work on hfs.
Then it'd be of no use for me since only /stand on our boxes uses the "high-performance file system".

How can I find out the version (i.e. release) of vxfs our filesystems are on?

E.g. this is jfs-related software on the box:

# swlist|grep -i jfs
B3929BA B.11.00 HP OnLineJFS (Advanced VxFS)
PHKL_18452 1.0 Invalid I/O sizes from JFS causes hangs
PHKL_18800 1.0 Cumulative JFS patch - panic:dirty inval
PHKL_18801 1.0 Fix for JFS fsadm ENOSPC errors
PHKL_19991 1.0 Fixes mmap & I/O coherency, enables JFS ACLs
Madness, thy name is system administration
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎02-03-2003 04:59 AM

‎02-03-2003 04:59 AM

Re: How to create ACLs

white paper for acl

http://www.docs.hp.com/hpux/onlinedocs/os/jfs_acl.pdf
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎02-03-2003 05:27 AM

‎02-03-2003 05:27 AM

Re: How to create ACLs

Shoot,
looks my vxfs release isn't prepared for ACLs:

# fstyp -v $(bdf .|awk '$1~/dev/{print $1}')|grep version
version: 3

:-(

Ok, back to sudo...
Madness, thy name is system administration
0 Kudos
Reply
James Murtagh
Honored Contributor

‎02-03-2003 05:37 AM

‎02-03-2003 05:37 AM

Re: How to create ACLs

Hi Ralph,

If you have JFS 3.1 you should be able to upgrade to 3.3 at no extra cost. The following link is from the software recovery handbook written by the German Response Centre Engineers and describes the different versions, how to upgrade etc and is very good.

http://us-support3.external.hp.com/iv/data/documents/DE_SW_UX_swrec_EN_01_E/JFS.pdf

Regards,

James.
0 Kudos
Reply
Greg OBarr
Regular Advisor

‎02-04-2003 05:56 AM

‎02-04-2003 05:56 AM

Re: How to create ACLs

ACLs.... I haven't had to think about ACLs since the old Apollo Domain/OS days.....
0 Kudos
Reply
George Rudman
Occasional Contributor

‎05-28-2003 10:09 PM

‎05-28-2003 10:09 PM

Re: How to create ACLs

Hi guys

I certainly learnt something here ie that I can't use ACL's if I haven't got HFS or OnlineJFS3.3 at least.

My scenario, a client of mine need to give some people read access to files owned by root. ACL's would be perfect, but is now out of the question since they don't have JFS.
Other option would be to copy the file and change the permissions, but that's probably not a good idea since the file can be quite large and waste space (that I don't have!) :-)

What other options do I have to give these certain users access to the required files?

Thank you
George
0 Kudos
Reply
Greg OBarr
Regular Advisor

‎05-29-2003 05:24 AM

‎05-29-2003 05:24 AM

Re: How to create ACLs

Maybe you could try this:

1) create a new group for this access in /etc/group
2) change group ownership of these files to this new group and change group permissions to r-- on these files
3) add the users to this group who need read access to these files.
0 Kudos
Reply
George Rudman
Occasional Contributor

‎05-29-2003 11:50 PM

‎05-29-2003 11:50 PM

Re: How to create ACLs

Hi
I played around with this idea and came up with the following.

Take the following file:
-rwxr-x--- 1 root mail 314 Dec 21 2001 filename
In this case only root and users in the "mail" group have read access to the file. Now I create a separate group, say "test", and add all the users currently in the "mail" group to it as their secondary group as well as add the id's of people you require to have access on a secondary level.

Thus the file would look like this :
-rwxr-xr-- 1 root test 314 Dec 21 2001 filename

Now, all previous users from the "mail" group(which are only root) still have their original access plus the additional users also have that same access.
The problem here is that the additional users now have read and write access where we originally needed only read access. The only solution here is to change the group permission to read only access to look like this :
-rwxr--r-- 1 root test 314 Dec 21 2001 filename

The most system groups only includes root as a member, so by changing this group permission will have no impact since root is the owner and still have full access.

To conclude, I can only implement this solution where we can change the permissions to read only for the group without decreasing the normal users' permission in the current group (ie "mail" in my example). In this example only root is in the "mail" group so this can be done, but once there are other id's in the group as well I cannot change the group permission, because this will affectively decrease their permissions which can lead to other problems.

Thanks for the feedback.
George
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.