If you're looking for Solaris ACLs, you might want to have a glance at Ben Rockwood's blog on the subject of when to use POSIX and when to use NFSv4 in your search.
ACLs, or Access Control Lists, Rockwood explains, allow users to assign arbitrary permissions beyond that which is allowed by the traditional "trivial" UNIX model. The management of group permissions has been made much simpler with the advent of ACLs.
Knowing when ACLs are in play is one of the keys to successful management. Rockwood presents an example that helps in making that identification. He suggests that users think of ACLs as either trivial or non-trivial, since they are always present, which makes regarding them as either enabled or disabled rather pointless. By way of example, he notes that a "+" file possesses a non-trivial ACL, whereas a "normal" file has a trivial ACL.
Rockwood further distinguishes between the "old school" POSIX ACLs and the "new school" NFSv4 Style ACLs and ZFS, with examples to make his point clear. He notes that
NFSv4 included a standard for ACLs, which is a major upgrade to the existing POSIX ACL capabilities and is interoperable with CIFS. For instance, I can give the user "tamarah" Write access to a file using POSIX ACLs, but with NFSv4 ACLs I can give "tamarah" access to only Append to the end of a file. Thats pretty handy and much more granular, he observes.
"With NFSv4 ACL's the getfacl and setfacl commands are dead. Given that chmod and ls work with both POSIX and NFSv4 ACL's I highly recommend that you concentrate on using those tools," Rockwood writes.
A caution that the author includes has to do with the concept of "allow" and "deny," about which he writes, "...there are actions that we explicitly allow and others that we explicitly deny; if an action is neither, it's not allowed. At first the idea of explicitly denying seems redundant, just don't allow it. But this is all about layering, so if you explicitly deny the Write permissions your saying that no one should be able to even if someone is given Write permission."
He notes, too, that creating ACL entry strings calls for some ingenuity beause of the number of individual permissions, recommending that one use a GUI file manager such as the GNOME Nautilus file manager. He recommends against using NFSv2 with its mount option, since it does not provide what one can legitimately all support.
On the other hand, he notes, NFSv3 works quite well when backed by UFS. An example demonstrates his point.
NFSv3 leaves something to be desired when it comes to ACL support for filesystems on ZFS, however: It doesn't work, Rockwood contends, suggesting that users instead employ NFSv4.
Rockwood's takeaway for this blog is:
- There are TWO types of file ACL's in Solaris: POSIX and NFSv4
- NFSv4 ACL's are very granular and powerful
- ACL's are a pita.
- NFSv3 ACL support (POSIX) does not work when sharing a ZFS filesystem; Use NFSv4.
- GUI's are an ACL's best friend, sad but true.
- Avoid them if you can, but if/when you need them, they are there.
Read More ...
[...read more...]
POSIX or NFS with ZFS: ACLs are there if you know how to recognize them.
Print
Email
Access Control Lists on Solaris OS with ZFS
(this article)
