Access Control List (ACL's) on AIX.

 
           Well. We speak so much of security and make secure system, in concerns of that here I am explaining how to put ACL’s on AIX system. As I presume its just the brief description of ACL on AIX system. You can also find how to put ACL’s on my previous article.

          As there is an interactive way to do it but well here I’ll be only trying it to do with files.

1. Create/Identify the file on which we need to put acl’s
# touch alctest2

2. Get the acl’s which exist on the file.
# ls -l acltest2
-rw-r–r– 1 root system 0 Jul 18 17:15 acltest2
# aclget acltest2
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rw-
group(system): r–
others: r–
extended permissions
disabled

3. Now we will collect all the acl’s permission in an outputfile called as acldefs.
# aclget -o acldefs acltest2

4. Edit the file acldefs. and make the necessary changes as you want in the file.
for eg:
Base permissions
AIXC ACL specific base permissions are the traditional file-access modes assigned to the file
owner, file group, and other users. The access modes are read (r), write (w), and execute/search
(x).
Note: AIXC ACL type Base Permissions will be same as the file mode bits stored in the file
system object’s inode headers. That is, the information in base mode bits is same as the
value returned by file system when stat is performed on the file system object.
In an access control list, base permissions are in the following format, with the Mode parameter
expressed as rwx (with a hyphen (-) replacing each unspecified permission):
base permissions:
owner(name): Mode
group(group): Mode
others: Mode

Attributes
Three attributes can be added to an access control list:
setuid (SUID)
Set-user-ID mode bit. This attribute sets the effective and saved user IDs of the process to
the owner ID of the file on execution.
setgid (SGID)
Set-group-ID mode bit. This attribute sets the effective and saved group IDs of the process
to the group ID of the file on execution.
savetext (SVTX)
Saves the text in a text file format.
above attributes are added in the following format:
The attributes: SUID, SGID, SVTX

Extended permissions
AIXC ACL extended permissions allow the owner of a file to more precisely define access to that
file. Extended permissions modify the base file permissions (owner, group, others) by permitting,
denying, or specifying access modes for specific individuals, groups, or user and group
combinations. Permissions are modified through the use of keywords.
The permit, deny, and specify keywords are defined as follows:
permit
Grants the user or group the specified access to the file deny Restricts the user or group from using the specified access to the file specify Precisely defines the file access for the user or group a user is denied a particular access by either a deny or a specify keyword, no other entry can If override that access denial.
The enabled keyword must be specified in the ACL for the extended permissions to take effect.
The default value is the disabled keyword.
In an AIXC ACL, extended permissions are in the following format:
extended permissions:
enabled | disabled
permit Mode UserInfo…:
deny Mode UserInfo…:
specify Mode UserInfo…:

Use a separate line for each permit, deny, or specify entry. The Mode parameter is expressed as
rwx (with a hyphen (-) replacing each unspecified permission). The UserInfo parameter is
expressed as u:UserName, or g:GroupName, or a comma-separated combination of u:UserName and
g:GroupName.
Note: If more than one user name is specified in an entry, that entry cannot be used in an access
control decision because a process has only one user ID.

 5. After changing the files for necessary ACL permission’s save the file as we are going to use this file for our future input values.

6. Now to put the acl on the other file with as per the changes you made in your file.

# aclput -i acldefs acltest3

This will put the acl’s on the file with the values specfied in the acldefs file. and now you can play with acl’s

 

Note: To copy acl’s from one file to another.

# aclget filename | aclput filename1

 

That’s all for ACL’s for now. Will write about NFS4 ACL’s on AIX

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s