Access Control Lists

Access control lists are used to grant or deny permissions to users or groups in addition to those specified with traditional UNIX file access permissions. This mechanism is also called discretionary access control (DAC) and is supported under the older HFS file system but not under the modern JFS file system. To grant or deny specific file accesses to a user or group, users are specified as shown in Table 7-3.

Table 7-3. Access Control List User Specification

Pattern Description

user.group ACL for a specific user and a specific group user.% ACL for a specific user and all groups

%.group ACL for all users and a specific group

%.% ACL for all users and all groups

Listing ACL

Access Control Lists can be listed using the lsacl command.

$ lsacl myfile

(boota.%, rwx) (jim.%,rwx) (%.users,r-x) (%.%,r--) myfile

$

This command shows that users boota and jim, belonging to any group, have all read, write, and execute permissions, all users of the users group have read and execute permissions, and all other users have only read permissions.

Changing ACL

The chacl command is used for changing ACLs. You can grant another user mary read, write, and execute (rwx) permissions to myfile.

$ chacl "mary.%=rwx" myfile

$ lsacl myfile

(boota.%, rwx) (jim.%,rwx) (mary.%,rwx) (%.users,r-x) (%.%,r--) myfile

$

7.9 Miscellaneous Commands

Here are few other commands that are not used directly to modify file permissions but are related to this process.

The newgrp Command

If a user is a member of more than one group, all new files created by that user belong to the current group. If the user wants the new files to belong to another group, the newgrp command changes the current group membership temporarily. In the following example, user boota belongs to group users (default group) and class. See how the new files created by the touch command are affected by changing the group membership.

$ touch file1

$ ll file1

-rw-rw-rw- 1 boota users 0 Sep 8 18:06 file1

$ newgrp class

$ touch file2

$ ll file2

-rw-rw-rw- 1 boota class 0 Sep 8 18:06 file2

$

File file1 belongs to group users, while file2 belongs to group class.

The su Command

The switch user ID (su) command is used to change the user ID temporarily just as you used the newgrp command to change the group ID. You need to know the password for the user you are changing to. The following command changes the user ID to jim.

$ su jim Password:

$

To switch back to the actual user ID, use the exit command. After changing the user ID, all new files created belong to the new user. The environment related to user jim is not loaded until you use the su - jim command instead of su jim.

If you don't specify any user name with the su command, it will change to user root. You can become the superuser temporarily by using this command if you know the root password.

Note

Many system administrators work under a user ID other than root and change the ID to root only if required. This is done to avoid any accidental damage to files with commands like rm.

The id Command

The id command is used to display the current user and group IDs. A typical result of this command is:

$ id

uid=415 (boota), gid=100 (users)

$

The command shows that the current user is boota having a user ID of 415. The current group membership is users and the group ID is 100.

Chapter Summary

In this chapter, you learned the concept of file permissions and access control lists. These are very important from a file- and system-security point of view. The following items were presented in this chapter.

• There are three types of user in UNIX; the owner, members of the owner group, and all other users.

• The three types of permissions can be set for every file and directory. These are read, write, and execute permissions.

• A file's permissions can be changed with the chmod command.

• The owner and group of a file can be changed with the chown and chgrp commands.

• Use of the SETUID and SETGID bits and security problems associated with these.

• Use of the sticky bit and its effect on files and directories.

• Finding files with specific file permissions using the find command.

• Use of Access Control Lists (ACLs) with the lsacl and chacl commands, which are used to list and change ACLs, respectively.

In addition, you have also used some other commands that don't affect file permissions directly. The newgrp command is used to change group membership temporarily while the su command is used to change user ID temporarily. The id command is used to check the current user and group membership.

In the next chapter, we will see the file system structure of HP-UX and how different directories are arranged in the file system. We will also see which directory contains what type of files.

Chapter Review Questions

1: How many types of users are present in UNIX and what is the use of groups?

2: What is the advantage of placing a user in more than one group?

3: What is the use of SETUID from the system administration point of view?

4: Write a command to find all files in a directory with the sticky bit set and copy these files to the /tmp directory.

5: What if the SUID for a file is set but the file is not executable?

6: Why are the Access Control Lists used?

Test Your Knowledge 1

:

A file has rwxr-xr-- permissions. It is owned by a user mark belonging to a group users. You are logged in as user jim belonging to group users. What permissions do you have for this file?

only read permission

read, write, and execute permissions read and execute permissions

You don't have any permissions for the file, as the file is owned by another user.

2 :

You are logged in as user jim and create a file myfile and want to give it to a user mark by changing its ownership. The command for this is:

chown mark myfile jim chown mark myfile chmod mark myfile

You can't change file ownership.

3 :

The id command without any argument lists:

user ID group ID

both user and group IDs system ID

4 :

You want to change your group ID temporarily. Which command will you use?

the newgrp command

The system administrator wants a command to be executed with superuser permissions no matter which user executes it. He or she will set:

the SUID bit

A file myfile already exists. You use command touch myfile. What will be the effect of this command?

It will erase the file and create a new file with the same name and zero byte size.

It will rename the file as myfile.bak and create a new file with the name myfile and zero byte size.

It will change the file modification date and time to the current value.

It will do nothing, as the file already exists.

7 :

You are logged in as user boota belonging to group users. When you list files using the ll command, you see the following list.

-rwxrw-r-- 1 jim class 0 Sep 8 18:06 myfile What operations can you perform on this file?

read, write, and execute

You use the command chmod 764 myfile. It provides:

read, write, and execute permissions to the owner

read and write permission to the group members of the owner of the file read permission to all users of the system

all of the above

Chapter Syllabus