When discuss about solaris security, so called Solaris access control lists (ACLs), which focusing on their purpose and structure.
When file permissions aren’t enough
Conventional Solaris file permissions allow you to set read, write, and execute permissions to a file for the file’s owner, group owners, and other users. In addition, you can use special permissions such as the sticky bit permission to allow file owners to edit their files but not other users’ files.
However, these permissions are not always sufficient to meet an organization’s file security needs. This is especially applicable in large or complex organizations in which users from different departments need to collaborate. For example, you might want to assign read permission on a file to more than one group of users and to assign write permission only to certain members of these groups.
Access control lists (ACLs) allow you to assign permissions to meet more complex security requirements than conventional file access permissions. An ACL consists of a list of users and groups who have access to permissions on a file or directory, as well as details of the permissions assigned to these users and groups. Each ACL applies to one file or directory only.
For example, you could create an ACL for a file called “backup” that specifies that all members of the admin and support groups can read the file, but that only the technical support manager and the system administrator may execute it.
ACLs consist of a list of entries, each of which defines the permissions granted to a particular user or group.
ACL entries include the following components:
- entry type
- user or group ID
The entry type indicates whether the entry applies to a user, a group, other users, or a mask. If the entry type is user or group, you can supply a user or group ID or a username or group name to apply permissions to a specific user or group. The permissions component of an ACL entry specifies the permissions you want to assign, which you represent using the symbolic letters r, w, or x.
The components of an ACL entry are separated by colons. For example, the following ACL entry sets read and write permissions for a user called NickN:
The user or group ID component in an ACL entry is optional. If you leave it out, the permissions specified in the entry apply to a file’s owner or group owners by default. For example, this entry sets read permissions for a file’s group owners:
You can use the other entry type to assign permissions to users who are not owners or group owners of a file. The example below sets read permissions for other users:
The mask entry type lets you specify a limit for permissions on a file. No user can have higher permissions than those specified in a mask, regardless of the permissions explicitly assigned to them. For example, the entry below specifies a mask that allows only read and write access, even for users that have the execute permission:
Default ACL entries
You can set default ACL entries for a directory. Any files or subdirectories that a user creates within this directory then automatically use the default ACL.
To create default ACL entries, you precede them with the word “default” and a colon. You can create default ACL entries using any of the ACL entry types. For example, the following entry sets default file owner permissions:
The following entry sets a default ACL mask:
As summary for Solaris access control lists, Access control lists (ACLs) allow you to assign users a complex set of permissions for a
file or directory. For example, you can use an ACL to assign a set of permissions to several groups but withhold permissions from specific members of these groups.
An ACL consists of a list of entries, each of which describes a set of permissions assigned to a user or group. You can create entries for a file’s owner, group owners, all other users, or for other specific users or groups. You can also create an ACL mask to limit the permissions of users to a file or directory.
You can create default ACL entries for a directory. These entries automatically apply to all files and subdirectories that users create in the specified directory.
If you interest to play around Solaris, probably you can try out the Open Solaris Live CD, it is Free to apply!