Configuring ACL on AIX 5.3

UNIX AIX
1

Hello All,

Let me quickly come down to my problem..

I have a file with following description:

==
root:/me01/tia/filetr ans # ls -lrt DW_NUM_OF_ROWS_TSP.txt
-rwxrwxr-- 1 tiaoas oinstall 43 Jun 07 17:12 DW_NUM_OF_ROWS_TSP.txt
root:/me01/tia/filetrans # aclget DW_NUM_OF_ROWS_TSP.txt
*

  • ACL_type AIXC
    *
    attributes:
    base permissions
    owner(tiaoas): rwx
    group(oinstall): rwx
    others: rwx
    extended permissions
    enabled
    permit rw- u:tiaadm,g: oinstall
    ==

I wanted user 'tiaadm:staff' to be able to do a 'chmod 777 DW_NUM_OF_ROWS_TSP.txt' -- for which I permitted this user for 'rw' as shown in the 'aclget' o/p above. However, my purpose was that any file which begins with 'DW', user 'tiaadm:staff' should be able to do a 'chmod', hence setting ACL for individual files wasn't quite a right option.
Google'ng around, someone suggested to set the ACL for the parent directory under which files starting with 'DW' exists, so this is what I did:

==
aclget DW_NUM_OF_ROWS_TSP.txt | aclput -R /me01/tia/filetrans

With this, my purpose wasn't solved as new files(getting created) starting with 'DW' under ~/filetrans directory didn't allow user 'tiaadm:staff' to do a 'chmod 777'.
Later, some online forum suggested to use "Extended Attribute Format" for inheritance under directories, so this is what I did:

==
root:/ # chfs -a ea=v2 /me01

root:/me01/tia # aclconvert -t NFS4 filetrans

root:/me01/tia # aclget filetrans
*

  • ACL_type NFS4
    *
    *
  • Owner: tiaesg
  • Group: oinstall
    *
    s: (OWNER@): a rwpRWxDaAdcCs
    s: (OWNER@): d o
    s: (GROUP@): a rwpRWxDadcs
    s: (GROUP@): d Co
    s: (EVERYONE@): a rwpRWxDadcs
    s: (EVERYONE@): d Co
    u:tiaadm: a rwpxo fidi
    g: oinstall: a rwpxo fidi
    ==

Even with the above options implemented, this is what I see:

==
tiaadm:/me01/tia/scripts% chmod 777 /me01/tia/filetrans/DW*
chmod: /me01/tia/filetrans//DW_NUM_OF_ROWS_TSP.txt: Operation not permitted.

I find myself absolutely lost & messed up here. Could someone kindly suggest/help getting this sorted?

Cheers,
Souvik

2

NFSv4 ACLs inheritance flags only work for newly created files and directories, not for existing ones.

3

Thanks verdepollo for your response..

Well, "Access Control" for the newly created files/directories doesn't work either as I expect them to. I guess, I've messed up the ACL configurations on this directory & its contents, let be elaborate once again for a clear picture:

Step 1:

==
root:/me01/tia/filetrans # ls -lrt DW_NUM_OF_ROWS_TSP.txt
-rwxrwxr-- 1 tiaoas oinstall 43 Jun 07 17:12 DW_NUM_OF_ROWS_TSP.txt
root:/me01/tia/filetrans # acledit DW_NUM_OF_ROWS_TSP.txt
*

  • ACL_type AIXC
    *
    attributes:
    base permissions
    owner(tiaoas): rwx
    group(oinstall): rwx
    others: r--
    extended permissions
    enabled >> Edited from "Disabled" to "Enabled" <<
    permit rw- u:tiaadm,g: oinstall >> Added this line for providing r/w permission to 'tiaadm' user for being able to do a chmod <<
    ==

After this step, user 'tiaadm' was successfully able to do a `chmod 777 /me01/tia/filetrans/DW_NUM_OF_ROWS_TSP.txt`

Step 2:

Configuring ACL for a single file wasn't my exact requirement, rather my requirement was -- user 'tiaadm' should be able to do a 'chmod' to any file(old/new) starting with 'DW' under '/me01/tia/filetrans' directory.
Note: Files with filename starting with 'DW' are created on daily basis by a batch job, hence manually configuring ACL for each of these new files didn't seem to be a right option. So this is what I did next step:

==
aclget DW_NUM_OF_ROWS_TSP.txt | aclput -R /me01/tia/filetrans

Here, as mentioned in step 1 - ACL for DW_NUM_OF_ROWS_TSP.txt file was perfect as user 'tiaadm' was able to do a 'chmod', so did a recursive copy of its ACL property to directory /me01/tia/filetrans.
After this step, any new file created under ~/filetrans directory(either by owner of the directory or other user) showed the following ACL property:

==
root:/me01/tia/filetrans # aclget <New File Name>
*

  • ACL_type AIXC
    *
    attributes:
    base permissions
    owner(tiaoas): rwx
    group(oinstall): rwx
    others: r--
    extended permissions
    disabled >> Extended properties showed "disabled" by default <<
    ==

So, recursive ACL property copy on the directory too didn't help me.

Step 3:

Used "Extended Attribute Format" for inheritance under directories, so this is what I did:

==
root:/ # chfs -a ea=v2 /me01 >> Changed File system to use extended attribute <<
root:/me01/tia # aclconvert -t NFS4 filetrans
root:/me01/tia # acledit filetrans
*

  • ACL_type NFS4
    *
    *
  • Owner: tiaesg
  • Group: oinstall
    *
    s: (OWNER@): a rwpRWxDaAdcCs
    s: (OWNER@): d o
    s: (GROUP@): a rwpRWxDadcs
    s: (GROUP@): d Co
    s: (EVERYONE@): a rwpRWxDadcs
    s: (EVERYONE@): d Co
    u:tiaadm: a rwpxo fidi >> Added this line for user 'tiaadm' to be able to do a recursive r/w over files/directories(fidi) <<
    g: oinstall: a rwpxo fidi >> Added this line for group 'oinstall' to be able to do a recursive r/w over files/directories(fidi) <<
    ==

After this step, these are what I see:

  • ACL extended permissions for file "DW_NUM_OF_ROWS_TSP.txt" got changed to "disabled" which was set to "enabled" earlier & 'chmod' stopped working(which was earlier working).

  • Any new file which got created under ~/filetrans directory, had the following properties:
    -- ACL extended permissions set to "disabled" by default.
    -- rwx permissions for owner, group & others was 000/--- i.e. didn't have rwx rights to anyone.

Please suggest?

I would like to reiterate my reqd once again -- User 'tiaadm' should be able to do a chmod on all files(old/new) under directory ~/filetrans which has following ownership/permissions:
root:/me01/tia # ls -ld filetrans
drwxrwsr-- tiaoas oinstall 632 Jun 07 17:12 filetrans

Thanks,
Souvik

4

AIX ACLs (AIXC) does not support inheritance options.

Try this:

# aclconvert -t NFS4 filetrans
# acledit filetrans

*
* ACL_type NFS4
**
* Owner: tiaesg
* Group: oinstall
*
s:(OWNER@): a rwpRWxDaAdcCo fidi
u:tiaadm: a rwxRAwCc fidioi

# aclget filetrans | aclput -R filetrans

Touch a test file and check that the ACL is active (You'll see a plus sign when running 'ls')

Quick question, are you using at least version 5.3 with JFS2 FS?

Also keep in mind that if you do a chmod 777 to a file, the ACL entry gets overwritten.