ACL

tri · December 8, 2000, 4:34am

Hi all,

I've just been handled the responsibility for a FTP-site. Having no experiens of UNIX at all. And now one of my users needs to have full access to the usr directory and all it's subdirectories, don't know why just trying to do what the boss tells me. The type of UNIX is FreeBSD and the filesystem's ufs. I've been told that with this setup rights can only be given to files and not directories. You can put a user in a group and give access to the file. But a file can only belong to one group. If I've understood this correctly it means that the options are 1. let the user log in as root 2. let him be an ordinary user. Option number 1 is not the one I want to go with.
But then the problem might be solved with ACL's? How can I see what ACL's I've got (if any)? How do I use them?

Thanking you

Neo · December 12, 2000, 8:09pm

ACLs are a kernel (core build of the OS) extension and the way ACLs are implemented are dependent on the UNIX variety. Some UNIXes support ACLs, other do not. Please specify the kernel details of the UNIX you are running.

Quite a few years ago I was hanging with Linus and crew at the 1st Linux conference in Amsterdam. I pleaded with Linus to add ACLs and ACL event logging to the Linux kernel so my more security minded clients could run Linux. I am not sure if Linus ever added ACLs to the Linux kernel. He was dead-set against it many years ago (this was around 1994 so things might have changed).

I know HPUX has a very nice ACL system in the kernel. In fact, the HPUX ACLs are so good that many high-availability systems run HPUX for that reason. ACLs in HPUX can be set for things like kernel system calls, etc. The entire system can be set up to monitor and log system calls that the administrator deems necessary for security.

Systems that do not implement ACLs with a high degree of granularity are not normally used in high-assurance systems. (Let's don't get into defining 'high-assurance' in this thread, OK )

[Edited by Neo on 12-13-2000 at 02:19 AM]

tri · December 14, 2000, 11:10am

When using the command 'uname -a' I got the following reply:

FreeBSD 4.1-RELEASE FreeBSD 4.1-RELEASE #4: Thu Oct 26 14:28:45 MDT
2000 root@fc:/usr/src/sys/compile/VKERN i386

Is this the information you needed?

/Ninja

Neo · December 14, 2000, 11:35am

I don't recall FreeBSD having the ACL functionality built in to the kernel (other than the standard file permissions). I also did a quick check on the net and did not find any reference to having them. I did find posts in the bsd-security mail list archives complaining about the security architecture.

Here is the link to the FreeBSD security homepage:

tri · December 14, 2000, 11:47am

Thanks for your help Neo, I appreciate it!

/Ninja