All the commands are fired from (% – user) prompt not (# – root) so do not confuse with the #es there with root prompt. They are the command output.
The ACL facility allows you to define more than just the usual eight permission bits for a file or directory. You can define a list of users (based on user-id or name) and groups (again, number or name) that you want to have access to a file. For each user or group getting special access, you can define read, write, or execute access permission.
There are only two commands that you need to learn for Solaris ACLs. They are
setfacl for setting a file’s ACLs and
getfacl for reading them. There are also a bunch of system and library calls that make the ACL facility available to programs. One confusing aspect of ACLs is that, in essence, every file already has an ACL entry. Running
getfacl on a normal file reveals some ACL information:
This ACL information is merely
getfacl‘s interpretation of the Unix permissions on the file. The
user, group and
other information is a straightforward display of the permission bits for those fields. The
mask field is very similar to the Unix
umask method. It defines the maximum permissions allowed for users (other than the owner) and groups. Even if a user or group has permissions set that exceed the mask, the mask limits their access. The
#effective display shows, for each user (except the owner) and group, the effect that the mask has on the permissions. The
#effective output is the one to look at to determine exactly who can access the file and exactly what they are allowed to do.
To set an ACL for a file, use the command
% setfacl -m user:jeff:rw- foo % ls -l foo-rw-r–r–+ 1 pbg staff 0 Jul 22 13:52 foo % getfacl foo
# file: foo# owner: pbg# group: staffuser::rw-user:jeff:rw- #effective:r–group::r– #effective:r–mask:r–other:r–
-m option tells
setfacl that I want to modify the ACLs for the file. Use the
-s option to set the entire mode, but then you must type in the user, group, and other access bits as well:
% setfacl -s user::rw-,group::r–,other:—,mask:rw-,user:jeff:rw- foo
To set general user, group, and other permissions, use the
field::perms identifier. To set ACLs for individual users and groups, use the
But back to our previous example. Notice that the effective access for user Jeff is unchanged, he can still only read the file, not write to it. That’s the result of the mask being applied to his permissions. To grant Jeff the access desired, I need to:
% setfacl -m mask:rw- foo% getfacl foo # file: foo# owner: pbg# group: staffuser::rw-user:jeff:rw- #effective:rw-group::r– #effective:r–mask:rw-other:r–
Now Jeff has read and write permissions to the file, while all others have only read access. Of note is the slight change in behavior of the
ls command. Any file with specific ACL information is shown with a + at the end of the permission field. Unfortunately,
find doesn’t seem to have an option to find all files with ACL lists.
As well as setting an ACL for the directory, you can set a default ACL for the directory. This default ACL is used to set the ACL on every file created within the directory. The only way I managed to get directory ACLs to work was using the
-s option with a very-long parameter string:
% setfacl -s user::rwx,group::rw-,mask:r–,other:rw-,default:user::rw-,\default:group::r-x,default:mask:rwx,default:other:r-x bar % ls -ld bardrwxr–rw-+ 2 pbg staff 512 Jul 22 14:11 bar % getfacl bar # file: bar# owner: pbg# group: staffuser::rwxgroup::rw- #effective:r–mask:r–other:rw-default:user::rw-default:group::r-xdefault:mask:rwxdefault:other:r-x
Now set a default ACL, and create a file in the directory:
% setfacl -m default:user:jeff:rwx bar % getfacl bar # file: bar# owner: pbg# group: staffuser::rwxgroup::rw- #effective:r–mask:r–other:rw-default:user::rw-default:user:jeff:rwxdefault:group::r-xdefault:mask:rwxdefault:other:r-xdefault:user::rw-default:user:jeff:rwxdefault:group::r-xdefault:mask:rwxdefault:other:r-x % touch bar/test % getfacl bar/test # file: bar/test# owner: pbg# group: staffuser::rw-user:jeff:rwx #effective:r–group::r– #effective:r–mask:r–other:r–
There are several other aspects of ACLs, including deleting ACLs and using abbreviations and permission bit numbers (rather than symbols). This information is provided on the appropriate manual pages.
To use ACLs over an NFS mount, both the client and server must be running Solaris 2.5 or better. If the client is running 2.5 but the server is running 2.4 or lower, you’ll see an error such as:
% touch foo% getfacl foo # file: foo# owner: pbg# group: staffuser::rw-group::r– #effective:r–mask:rwxother:r– % setfacl -m user:jeff:rw- foofoo: failed to set acl entriessetacl error: Operation not applicable
You’ll get a similar error if you try to use ACLs in a swapfs-based directory (such as
/tmp). Finally, there’s a “non-feature” of ACLs when used with
tar itself works well with files that have associated ACLs. Unfortunately, the tar file is not readable under previous SunOS and Solaris operating systems.
It is also important to note that ACLs “stick” to a file during copy and rename operations. To remove the ACL from a file use
setfacl -d for each entry. When the last entry is removed, the “+” disappears from the file’s