AIXC Access Control List
The AIXC Access Control List type represents the behavior of the ACL type supported on AIX® releases prior to 5.3.0. AIXC ACLs include base permissions and extended permissions.
The AIXC Access Control List (ACL) type represents the behavior of the ACL type supported on AIX releases prior to 5.3.0. AIXC ACLs include base permissions and extended permissions. The JFS2 file system allows a maximum size of 4 KB for AIXC ACLs.
Setting base permissions for AIXC ACL
Base permissions are the traditional file-access modes assigned to the file owner, file group, and other users. The access modes are: read (r), write (w), and execute/search (x).
In an ACL, base permissions are in the following format, with the Mode parameter expressed as rwx (with a hyphen (-) replacing each unspecified permission):
base permissions:
owner(name): Mode
group(group): Mode
others: Mode
Setting attributes for AIXC ACL
- setuid (SUID)
- Set-user-ID mode bit. This attribute sets the effective and saved user IDs of the process to the owner ID of the file at run time.
- setgid (SGID)
- Set-group-ID mode bit. This attribute sets the effective and saved group IDs of the process to the group ID of the file at run time.
- savetext (SVTX)
- For directories, indicates that only file owners can link or unlink files in the specified directory.
attributes: SUID, SGID, SVTX
Setting extended permissions for AIXC Access ACL
Extended permissions allow the owner of a file to more precisely define access to that file. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations. Permissions are modified through the use of keywords.
The permit, deny, and specify keywords are defined as follows:
- permit
- Grants the user or group the specified access to the file
- deny
- Restricts the user or group from using the specified access to the file
- specify
- Precisely defines the file access for the user or group
If a user is denied a particular access by either a deny or a specify keyword, no other entry can override that access denial.
The enabled keyword must be specified in the ACL for the extended permissions to take effect. The default value is the disabled keyword.
In an ACL, extended permissions are in the following format:
extended permissions:
enabled | disabled
permit Mode UserInfo...
deny Mode UserInfo...
specify Mode UserInfo...
Use a separate line for each permit, deny,
or specify entry. The Mode parameter
is expressed as rwx (with a hyphen (-) replacing each unspecified
permission). The UserInfo parameter is expressed
as u:UserName
, or g:GroupName
, or
a comma-separated combination of u:UserName
and g:GroupName
.
Textual representation of AIXC ACL
The following stanza shows the textual representation of an AIXC ACL:
Attributes: { SUID | SGID | SVTX }
Base Permissions:
owner(name): Mode
group(group): Mode
others: Mode
Extended Permissions:
enabled | disabled
permit Mode UserInfo...
deny Mode UserInfo...
specify Mode UserInfo...
Binary format of AIXC ACL
The AIXC ACL binary format is defined in /usr/include/sys/acl.h and is implemented in the current AIX release.
AIXC ACL example
The following is an example of an AIXC ACL:
attributes: SUID
base permissions:
owner(frank): rw-
group(system): r-x
others: ---
extended permissions:
enabled
permit rw- u:dhs
deny r-- u:chas, g:system
specify r-- u:john, g:gateway, g:mail
permit rw- g:account, g:finance
The ACL entries are described as follows:
- The first line indicates that the setuid bit is turned on.
- The next line, which introduces the base permissions, is optional.
- The next three lines specify the base permissions. The owner and group names in parentheses are for information only. Changing these names does not alter the file owner or file group. Only the chown command and the chgrp command can change these file attributes.
- The next line, which introduces the extended permissions, is optional.
- The next line indicates that the extended permissions that follow are enabled.
- The last four lines are the extended entries. The first extended entry grants user dhs read (r) and write (w) permission on the file.
- The second extended entry denies read (r) access to user chas only when he is a member of the system group.
- The third extended entry specifies that as long as user john is a member of both the gateway group and the mail group, he has read (r) access. If user john is not a member of both groups, this extended permission does not apply.
- The last extended entry grants any user in both the account group and the
finance group read (r) and write (w) permission. Note: More than one extended entry can apply to a process that is requesting access to a controlled object, with restrictive entries taking precedence over permissive modes.