IBM Support

AIX Security: Extended ACLs to grant access to multiple groups

How To


Summary

Steps to use extended ACLs to grant access to users in multiple groups.

Objective

Problem:  The system has thousands of users, so the administrator cannot add all users to one group to manage directory access.  Extended ACLs can be used to grant access to users in different groups.

The following steps demonstrate how to use ACLs to allow multiple group access to a file or directory.

Steps

The following example has 2002 users. The objective is to allow /myDir access for users in Xgroup1 and Xgroup2.

Xgroup1: 2000 users (testuser1000-testuser3000)
Xgroup2: testuser3001
Xgroup3: testuser3002
1) Enable ACLs.
# export EDITOR=/usr/bin/vi
# acledit /myDir
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rwx
    group(system):  r-x
    others:  r-x
extended permissions
    disabled
Change to:
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rwx
    group(system):  r-x
    others:  ---
extended permissions
    enabled
    permit   rwx     g:Xgroup1
    permit   rwx     g:Xgroup2

2) Verify the new permissions.
# ls -ld /myDir
drwxr-x---    2 root     system          256 Nov 01 19:33 /myDir
** Note, the ls output does not show the extended ACLs. List the ACLs with aclget:
# aclget /myDir
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rwx
    group(system):  r-x
    others:  ---
extended permissions
    enabled
    permit   rwx     g:Xgroup1
    permit   rwx     g:Xgroup2
   

3) Test with users from all three groups.
Log in users from multiple groups, and attempt to cd /myDir.
RESULTS: Only Xgroup1 and Xgroup2 users could access the directory.
TIP:  The testing is based on basic ACLs. See the following steps to add more restrictions.
A user in Xgroup1 could be able to see files created by other users in same group, depending on the umask of the file creator.  In this example, the default mask was 022 (u=rwx,g=rx,o=rx).
4) Change the umask to u=rwx,g=,o=.
# chuser umask=077 testuser3001
5) Test access for testuser3001.
# su - testuser3001
$ id
uid=3700(testuser3001) gid=211(Xgroup2)
As testuser3001, create a file.
$ touch /myDir/file3001
$ ls -aln /myDir/file3001
-rw-------    1 3700     211               0 Nov 26 17:14 /myDir/file3001
(The -n was used to show userid, since the ls command truncates such the long user name)
Login testuser3000, and attempt to access the file owned by testuser3001.
$ cat  /myDir/file3001
cat: 0652-050 Cannot open /myDir/file3001.
RESULTS:  testuser3000 cannot view files created by testuser3001
Summary:
Question:
  • Who can access /myDir?
Answer: 
  • All users in Xgroup1 and Xgroup2 
  • Users in root.system, with basic ACLS.
Tip: You can change the basic ACLs.
 
# acledit /myDir
Change group acls:
attributes:
base permissions
    owner(root):  rwx
    group(system):  ---
    others:  ---
# aclget /myDir
base permissions
    owner(root):  rwx
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   rwx     g:Xgroup1
    permit   rwx     g:Xgroup2

Now, only Xgroup1 and Xgroup2 members can access the directory.
Tip: To control inheritance, and use other NFS4 extended attributes, you could convert the file system, then apply NFS4 attributes, which add many more options.

Additional Information

SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
26 November 2021

UID

ibm16519910

Page Feedback