![[Return to Library]](BOOKSHELF.GIF)
![[Contents]](TOC.GIF)
![[Previous Chapter]](REW.GIF)
![[Next Section]](NEXT.GIF)
![[Next Chapter]](FF.GIF)
![[Index]](INDEX.GIF)
![[Help]](HELP.GIF)
The Digital UNIX ACLs are based on the POSIX P1003.6 Draft 13 standard. The ACL library routines may change as the P1003.6 standard is finalized.
The ACL subsystem is shipped as part of the base system, but is a kernel build-time option. Note that building the ACL subsystem is not the default choice. Base system components do not require ACLs for current operations and no files are shipped with ACLs on them.
If layered products need ACL support, then ACLs must be enabled. If this is not done, then access granted to an object may not be the correct access.
ACLs are currently supported on UFS, AdvFS, and NFS-mounted file systems. ACLs on DFS, CDFS and Internet IPC sockets are not currently supported.
Where the ACL is stored depends on the type of object it is associated with. ACLs for file system objects are stored in the property list associated with the object on the local Digital UNIX file system.
Because Digital UNIX ACLs are stored on a file system's property list, Digital UNIX supports only file systems that provide property lists. The currently supported files systems are as follows:
See the proplist(4) reference page for more information about property lists.
See Section 21.8 for information on importing and exporting data between file systems.
![[Previous Section]](PREV.GIF)
The primary tasks of the administrator relative to the trusted system's access control list mechanisms are:
To administer the ACLs on your Digital UNIX system, you need to be familiar with the commands documented on the following reference pages:
The optional Digital UNIX ACLs are shipped as part of the base system and can be loaded and used independently of other enhanced security features. The enhanced security subsets (OSFC2SECxxx and OSFXC2SECxxx) do not need to be installed on your system.
Before you configure ACLs, you need to answer the following questions:
You must set an ACL for each object that you want to protect. See the setacl(1) and getacl(1) reference pages for instructions on setting and retrieving ACLs. Directories also have two default ACLs that can be set. These default ACLs define what ACLs are inherited by new files and subdirectories created under them. See Section 5.9 for a description of the ACL inheritance rules.
The Digital UNIX ACL subsystem is enabled by editing the configuration file, rebuilding the kernel, and rebooting the system. Use the following procedure to enable ACLs.
#
doconfig -c
MACHINE
#
cp /usr/sys/
MACHINE
/vmunix /vmunix
Example 11-1 illustrates how to enable ACLs.
# cd /usr/sys # doconfig -c MACHINE
*** KERNEL CONFIGURATION AND BUILD PROCEDURE ***
Saving /usr/sys/conf/MACHINE as /usr/sys/conf/MACHINE.bck
Do you want to edit the configuration file? (y/n) [n]: y
Using ed to edit the configuration file. Press return when ready, or type 'quit' to skip the editing session: 2397 a options DEC_ACL . w 2413 q
*** PERFORMING KERNEL BUILD *** Working....Tue Oct 3 08:29:47 EDT 1995 Working....Tue Oct 3 08:31:50 EDT 1995
The new kernel is /usr/sys/MACHINE/vmunix # cp /usr/sys/MACHINE/vmunix /vmunix # reboot
The Digital UNIX ACL subsystem is disabled by editing the configuration file, rebuilding the kernel, and rebooting the system. Use the following procedure to disable ACLs.
#
doconfig -c
MACHINE
#
cp /usr/sys/
MACHINE
/vmunix /vmunix
Example 11-2 illustrates how to disable ACLs.
# doconfig -c MACHINE
*** KERNEL CONFIGURATION AND BUILD PROCEDURE ***
Saving /usr/sys/conf/MACHINE as /usr/sys/conf/MACHINE.bck
Do you want to edit the configuration file? (y/n) [n]: y
Using ed to edit the configuration file. Press return when ready, or type 'quit' to skip the editing session: 2395 /DEC_ACL options DEC_ACL d w q
Are you satisfied with the changes made during the editing session? (y/n) [y]: y
*** PERFORMING Kernel Build *** Working....Tue Oct 3 08:41:10 EDT 1995 Working....Tue Oct 3 08:43:13 EDT 1995
The new kernel is /usr/sys/MACHINE/vmunix # cp /usr/sys/MACHINE/vmunix /vmunix # reboot
To determine the status of ACLs in a kernel you are going to boot, enter the following command:
#
nm -Bn /vmunix | grep sp_insert_ir
If the string "sp_insert_ir" is present, the ACLs are loaded in the kernel; if the string "sp_insert_ir" is not present, the ACLs are not loaded.
Use the dbx command to determine if ACLs are currently running in the system as follows (make sure that /vmunix is the kernel that was booted):
#
dbx /vmunix -k
dbx version 3.11.8 Type 'help' for help.
warning: cannot get register (number = 70)
stopped at [thread_block:2016 ,0xfffffc00002b2da0] \ Source not available
warning: Files compiled -g3: parameter values probably wrong (dbx) print paclpolicy 0
The output of the print paclpolicy is interpreted as follows:
Note that paclpolicy is a global variable in the kernel.
The fsck and fsdb commands are used to recover property lists and ACLs, respectively, in the event of a system crash. If ACLs are enabled when fsck is run on a file system, fsck verifies all property lists on the file system unless instructed otherwise. If a property list is found that is not correct, fsck attempts to correct it. In most cases, restoring the property list also restores the ACL. The ACLs are validated by kernel read for access decisions.
The fsdb command examines the ACL in either the internal or external format. A privileged user can change the ACL using fsdb.
Because the standalone system (SAS) is strictly intended for installing a system and repairing the root file system, the ACL code is not present. This is accomplished by not shipping ACLs with the system and fsck and fsdb having ability to extract and manipulate ACLs from the property list obtained from the raw partition.