Using Solaris ACLs

An ACL (Access Control List) facility is available on disk partitions hosted on servers running Solaris OS. [Note: As of January 2002, the home filesystems have been moved to a Network Appliance Filer. While providing increased performance and capacity, it does not currently support Solaris ACLs; users depending on this feature should contact the Lab Staff. This deficiency is expected to be remedied when NFSv4 is released.]

Solaris ACLs (Access Control Lists)

If you need more complex file permissions than the standard UNIX permissions allow for, you may want to consider using Access Control Lists (ACLs) under Solaris. These allow you to set permissions on your files and directories to grant or deny access to arbitrary combinations of individual users and groups.
Note: The ACLs will only work under Solaris. So for networked filesystems, both the server and the client must be running Solaris.
We will consider a file created with typical UNIX permissions:

 user@login% ls -l testfile 
 -rw-r--r--   1 user    prof         2352 Jan 29 13:37 testfile

The default ACL for this file can be seen using the getfacl command:

 user@login% getfacl testfile
 # file: testfile
 # owner: user
 # group: prof
 user::rw-
 group::r--              #effective:r--
 mask:r--
 other:r--

The user and group permissions are those for the owner (user) and the default group (prof), respectively. The mask indicates the maximum permission available to all users, except the owner. The effective permission, to the right of the group permission, represents the intersection (bitwise AND) of the specified permissions for a user/group and the mask field. The effective permission is what a user, other than the owner, will see when they try to access the file.
For files with ACL entries, the chmod command will change the default mask for the file, as well as change the standard UNIX permissions. From the setfacl manual page:

 ``The ACL mask indicates the  maximum  permissions  allowed for
 users (other than the owner) and for groups. The mask is a
 quick way to change permissions on all the users and groups.''

To add ACL entries to a file, one uses the setfacl command. The syntax for an access record is

 token:name:perms

There are several possible tokens; a short, but mostly comprehensive list of the possible types of ACL entries is as follows:

 user:uid:perms
 group:gid:perms
 other:perms
 mask:perms

Here uid/gid may be either a UNIX user/group name or a numeric user/group ID. The perms are standard UNIX file permissions (i.e. r,w,x). Permissions may be specified either as symbolic characters or a number (the same as for the chmod command). Multiple records may be added by a single command, separated by commas.
To add/modify records using the setfacl command, one of three options is required. The -s option will set the ACL, replacing any previous entries. The -m option will modify or add, an additional entry and the -f filename will set ACL entries as contained in filename. ACL entries can be removed from a file using the -d option can be used to remove one or more ACL entries. Additionally the -r option can be used to automatically recalculate the mask to give the proper access for a newly set/modified ACL; otherwise an ACL mask entry must be given on the command line. The default mask can also be changed using the standard UNIX chmod command.
For example, to add ``read'' and ``write'' permissions for the group tune, the following command would be used:

 user@login% setfacl -r -m group:tune:rw- testfile

The -m option causes the default ACL to be modified, the -r option recalculates the ACL mask for the file. The output of the getfacl command might then read:

 user@login% getfacl testfile
 # file: testfile
 # owner: user
 # group: prof
 user::rw-
 group::r--              #effective:r--
 group:tune:rw-          #effective:rw-
 mask:rw-
 other:r--

Note the addition of the group entry for the tune group as well as the recalculated mask entry. The output of the ls command will now reflect that ACLs have been enabled for this file by the addition of a + at the end of the regular UNIX permissions.

 user@login% ls -l testfile
 -rw-r--r--+  1 user    prof         2352 Jan 29 13:38 testfile

Members of the group tune may now read and write to this file. Note that using the chmod command on the file will change the default mask, possibly preventing users or groups from accessing the file. Be sure that the "effective" permissions shown in the ACL match the permission you wish to give to a user or group.
To turn the permissions for a file "off" use the -d option to setfacl, specifying which access record to delete:

 user@login% setfacl -r -d group:tune testfile

The dtfile file manager provides an easy, graphical interface to managing Solaris ACLs. Under the Selected->Properties menu there is a button to "Show Access Control List". Here permissions for a particular user or group can be added to or removed from a file. The program makes sure the mask setting is correct to give the intended permissions. This program is part of the CDE desktop environment, but can be invoked under OpenWindows as well.

ACLs on directories

ACLs can also be set on directories. If regular ACLs are set as with the file example above, the effect is just to control access to the directory. An additional class of ACLs are also available for use on directories; these are called default ACLs. Default ACLs automatically propagate to any new files and directories created in this directory. This will also effect (set) the permission bits on the created files. This can be used as a mechanism to, eg, automatically set g+w on new files, which might be useful in certain shared directories.
Default ACLs are a bit complex and are out of the scope of this document. Please consult the setfacl manual page for more details.

Setting Permissions for a File from a Command Line

To set ACL permissions from a command line, you must specify at least the basic set of user, group, other, and mask permissions. Type the following command to set ACL permissions: setfacl -s u::<perm>,g::<perm>,o:<perm>, m:<perm>, [u:<UID>:<perm>], [g:<GID>:<perm>
You can set users by using either their username or their UID number. Note that before you can use the username argument, the user account must already exist in the Passwd database or in the local /etc/passwd file. You can assign permissions to any UID by number, regardless of whether a user account exists.
In the same way, you can set group names by using either the group name or the GID number.
The following example assigns all of the permissions to the user, restricts group permissions to read-only, and denies permissions to other. The default mask sets read-write permissions, and user ray is assigned read-write permissions to the file foo.
First, take a look at the current permissions for the file:

castle% ls -l foo
-rw-rw-rw-    1 winsor       staff      0 Oct 3 14:22 foo

Then set permissions for user, group, owner, and the mask and add one user to the ACL:

castle% setfacl -s u::rwx,g::r—,o:—,mask:rw-,u:ray:rw- foo

Using octal values, as shown in the following example, gives you the same result:

castle% setfacl -s u::7,g::4,o:0,mask:6,u:ray:6 foo

Next, verify that the permissions have been set and that the file has an ACL:

castle% ls -l foo
-rwxrw—    +  1 winsor   staff      0 Oct  3 14:22 foo

As you can see, the permissions for the file are changed and the plus sign after the permission field shows that the file has an ACL. Last, use the getfacl command to verify that everything has been set correctly:

castle% getfacl foo

# file: foo
# owner: winsor
# group: staff
user::rwx
user:ray:rw-         #effective:rw-
group::rw-           #effective:rw-
mask:rw-
other:—
castle%

The getfacl command always displays ACL permissions symbolically, regardless of how you specify the values from the command line.

Using an ACL Configuration File to Set Permissions

You can create an ACL configuration file that contains a list of the permissions you want to set and then use that filename as an argument to the setfacl -s command.

---

NOTE:  You can use a configuration file only with the -s option to the setfacl command.

---

Use the following steps to set up the ACL configuration file:

1.  Use any editor to create a file.

2.  Edit the file to include the permissions you want to set, putting each statement on a separate line. Be sure to include permissions for user, group, other, and mask as a minimum set.

3.  Save the file by using any filename you choose.

4.  Type setfacl -f <acl_filename> <filename1> [<filename2>] [<filename3>] and press Return.

5.  Type getfacl <filename1> [<filename2>] [<filename3>] and press Return to verify that the permissions are set correctly.

---

NOTE:  If you make typographical errors in the configuration file, the command might return a prompt without displaying any error messages. If you make syntax errors, the setfacl command might display an error message. Be sure to use the getfacl command to check that the permissions are set properly.

---

In the following example, the owner has rwx permissions, group has rw-, other has —, and the mask is rw-. Three users with different permissions are also granted access to the file. The acl_file (named anything) contains the following access list:

u::rwx
g::rw-
o:—
m:rw-
u:ray:rwx
u:des:rw-
u:rob:r—

Once you have set up the ACL for the file named anything, you can use the setfacl -f option to assign those same permissions to one more file. In the following example, the file named anything is used as the argument to the -f option to change ACLs for the files foo and bar so that they match the file anything:

castle% setfacl -f anything foo bar
castle% getfacl foo bar

# file: foo
# owner: winsor
# group: staff
user::rwx
user:ray:rwx         #effective:rwx
user:des:rw-         #effective:rw-
user:rob:r—         #effective:r—
group::rw-           #effective:rw-
mask:rw-
other:—

# file: bar
# owner: winsor
# group: staff
user::rwx
user:ray:rwx         #effective:rwx
user:des:rw-         #effective:rw-
user:rob:r—         #effective:r—
group::rw-           #effective:rw-
mask:rw-
other:—
castle%

Adding and Modifying ACL Permissions

You can add and modify ACL permissions for a file that already has an ACL or for any existing UFS file or directory by using the setfacl -m command. Arguments to the setfacl -m command use the same syntax and structure as arguments to the setfacl -s command.
Because each file already has a default owner, group, other, and mask setting, you can use the setfacl -m command on any UFS file without first using the setfacl -s command to specify an owner, group, other, or mask setting. If the file already has the permissions you want to use, you can simply use the setfacl -m command to modify (and create) the ACL for any file or directory.
When you use the -m option, if an entry already exists for a specified UID or GID, the permissions you specify replace the current permissions. If an entry does not exist, it is created.
Type the following syntax to add and modify permissions for a file or files and press Return:
setfacl -m <acl_entry_list><filename1> [<filename2>] [<filename3>]
In the following example, permissions for user ray are modified from rwx to rw- for the file foo.

castle% setfacl -m u:ray:rw- foo
castle% getfacl foo

# file: foo
# owner: winsor
# group: staff
user::rw-
user:ray:rw-         #effective:rw-
group::rw-           #effective:rw-
mask:rw-
other:rw-
castle%