AIXC Access Control List

Edit online

The AIXC Access Control List type represents the behavior of the ACL type supported on AIX® releases prior to 5.3.0. AIXC ACLs include base permissions and extended permissions.

The AIXC Access Control List (ACL) type represents the behavior of the ACL type supported on AIX releases prior to 5.3.0. AIXC ACLs include base permissions and extended permissions. The JFS2 file system allows a maximum size of 4 KB for AIXC ACLs.

Setting base permissions for AIXC ACL

Base permissions are the traditional file-access modes assigned to the file owner, file group, and other users. The access modes are: read (r), write (w), and execute/search (x).

In an ACL, base permissions are in the following format, with the Mode parameter expressed as rwx (with a hyphen (-) replacing each unspecified permission):

base permissions: 
   owner(name): Mode
   group(group): Mode
   others: Mode

Setting attributes for AIXC ACL

The following attributes can be added to an AIXC ACL:

setuid (SUID): Set-user-ID mode bit. This attribute sets the effective and saved user IDs of the process to the owner ID of the file at run time.
setgid (SGID): Set-group-ID mode bit. This attribute sets the effective and saved group IDs of the process to the group ID of the file at run time.
savetext (SVTX): For directories, indicates that only file owners can link or unlink files in the specified directory.

These attributes are added in the following format:

attributes: SUID, SGID, SVTX

Setting extended permissions for AIXC Access ACL

Extended permissions allow the owner of a file to more precisely define access to that file. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations. Permissions are modified through the use of keywords.

The permit, deny, and specify keywords are defined as follows:

permit: Grants the user or group the specified access to the file
deny: Restricts the user or group from using the specified access to the file
specify: Precisely defines the file access for the user or group

If a user is denied a particular access by either a deny or a specify keyword, no other entry can override that access denial.

The enabled keyword must be specified in the ACL for the extended permissions to take effect. The default value is the disabled keyword.

In an ACL, extended permissions are in the following format:

extended permissions: 
  enabled | disabled
    permit   Mode  UserInfo...
    deny     Mode  UserInfo...
    specify  Mode  UserInfo...

Use a separate line for each permit, deny, or specify entry. The Mode parameter is expressed as rwx (with a hyphen (-) replacing each unspecified permission). The UserInfo parameter is expressed as u:UserName, or g:GroupName, or a comma-separated combination of u:UserName and g:GroupName.

Note: Because a process has only one user ID, if more than one user name is specified in an entry, that entry cannot be used in an access control decision.

Textual representation of AIXC ACL

The following stanza shows the textual representation of an AIXC ACL:

Attributes:  { SUID | SGID | SVTX }
Base Permissions:
   owner(name): Mode
   group(group): Mode
   others: Mode
Extended Permissions:
   enabled | disabled
     permit   Mode  UserInfo...
     deny     Mode  UserInfo...
     specify  Mode  UserInfo...

Binary format of AIXC ACL

The AIXC ACL binary format is defined in /usr/include/sys/acl.h and is implemented in the current AIX release.

AIXC ACL example

The following is an example of an AIXC ACL:

attributes: SUID
base permissions:
      owner(frank):  rw-
      group(system): r-x
      others: ---
extended permissions:
      enabled
        permit  rw-  u:dhs
        deny    r--  u:chas, g:system
        specify r--  u:john, g:gateway, g:mail
        permit  rw-  g:account, g:finance

The ACL entries are described as follows:

The first line indicates that the setuid bit is turned on.
The next line, which introduces the base permissions, is optional.
The next three lines specify the base permissions. The owner and group names in parentheses are for information only. Changing these names does not alter the file owner or file group. Only the chown command and the chgrp command can change these file attributes.
The next line, which introduces the extended permissions, is optional.
The next line indicates that the extended permissions that follow are enabled.
The last four lines are the extended entries. The first extended entry grants user dhs read (r) and write (w) permission on the file.
The second extended entry denies read (r) access to user chas only when he is a member of the system group.
The third extended entry specifies that as long as user john is a member of both the gateway group and the mail group, he has read (r) access. If user john is not a member of both groups, this extended permission does not apply.
The last extended entry grants any user in both the account group and the finance group read (r) and write (w) permission.

Note: More than one extended entry can apply to a process that is requesting access to a controlled object, with restrictive entries taking precedence over permissive modes.