IBM Support

How to Apply ACL to New Files Automatically

Question & Answer


Question

How can I set up a directory to automatically apply ACLs (Access Control Lists)?

Answer

Access Control Lists (ACLs) are an ordered set of rules and conditions that allow or deny access to files. This method allows restrictions beyond the standard AIX or Unix discretionary access control.
  • ACLs can be applied to individuals, or groups.
  • ACLs can be assigned, or revoked, as needed.
ACL inheritance is the mechanism which allows a parent folder to pass ACL rules to its child folders and files. AIX ACLs do not support inheritance, but NFSV4 ACLs do.
  • NFSV4 ACL is platform-independent, so it can be supported on many clients or servers.
  • Most file system types in AIX do not support NFSV4 ACLs.
  • CFS, UDF, JFS, and JFS2 with extended attribute version 1 (EAv1) do not support NFSV4 ACLs.
  • JFS2 file systems using EAv2 support NFSV4 ACLs.

To set up a directory to automatically apply ACLs (Access Control Lists) to child files and folders, you can enable ACL inheritance in an NFSV4 enabled file system.

1. Use an existing JFS2 file system, or create a new one.
# crfs -v jfs2 -g datavg -m /myfs -A yes -a size=2G

2. Change the file system to use Extended Attributes Version 2.
# chfs -a ea=v2 /myfs

3. Create a directory, or use an existing directory.
# cd /myfs
# mkdir newdir

4. Convert the directory to use NFS4 ACLs.
# aclconvert -t NFS4 newdir

5. Edit the ACL.
# export EDITOR=/usr/bin/vi
# acledit newdir
    * Default text:
*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo
* See more field information in the Textual representation of NFS4 ACL table.
6. To allow inheritance for all files and directories underneath this directory, add the strings "fi"(FILE_INHERIT) and "di"(DIRECTORY_INHERIT) to any ACLs you create.
*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo
7. Save and quit (ESC :wq) the vi editor.
*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo
:wq!
*The ACLs you defined will be propagated to each new file created.

8) Create a file in your directory and check the ACL list on it.
# cd newdir
# touch newfile
# aclget newfile

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
REFERENCE:  Textual representation of NFS4 ACL
* An ACE entry has the following spaces/tabs separated fields:
*
*   IDENTITY ACE_TYPE ACE_MASK INHERITANCE_AND_AUDIT_ATTRS
*
* Where:
*
*   IDENTITY => Has format of 'IDENTITY_type:IDENTITY_name(IDENTITY_who):'
*      Where:
*         IDENTITY_type => One of the following Identity type:
*            u : user
*            g : group
*            s : special who string (IDENTITY_who must be a special who)
*         IDENTITY_name => user/group name
*         IDENTITY_who => who string
*
*   ACE_TYPE => One of the following ACE Type:
*      a : allow
*      d : deny
*      l : alarm
*      u : audit
*
*   ACE MASK => One or more of the following Mask value Key without separater:
*      r : READ_DATA
*      r : LIST_DIRECTORY
*      w : WRITE_DATA
*      w : ADD_FILE
*      p : APPEND_DATA
*      p : ADD_SUBDIRECTORY
*      R : READ_NAMED_ATTRS
*      W : WRITE_NAMED_ATTRS
*      x : EXECUTE
*      D : DELETE_CHILD
*      a : READ_ATTRIBUTES
*      A : WRITE_ATTRIBUTES
*      d : DELETE
*      c : READ_ACL
*      C : WRITE_ACL
*      o : WRITE_OWNER
*      s : SYNCHRONIZE
*
*   INHERITANCE_AND_AUDIT_ATTRS (Optional) => One or more of the following
*                                             Attribute Key without separater:
*      fi : FILE_INHERIT
*      di : DIRECTORY_INHERIT
*      oi : INHERIT_ONLY
*      ni : NO_PROPAGATE_INHERIT
*      sf : SUCCESSFUL_ACCESS_ACE_FLAG
*      ff : FAILED_ACCESS_ACE_FLAG
SUPPORT

Security configuration (for example, RBAC, Trusted AIX, AIX Security Expert, ACLs, auditing) involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support.

See "How technical questions (Q&A) are handled by IBM Support:"
https://www.ibm.com/support/pages/node/796206

However, if you have specific questions about usage after reviewing the recommended documentation, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
21 September 2021

UID

isg3T1012127

Page Feedback