os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Editorial review of ACL chapter.

Browse source 
Still need a section on ZFS and ACLs.
This section would benefit from more usage examples and a
more complete description of how ACLs augment tradiational
permissions.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-03-31 20:39:26 +00:00
parent 1194095c70
commit bf62664294
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44403
1 changed files with 48 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -72,7 +72,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>How to use filesystem <acronym>ACL</acronym>s.</para> <para>How to use file system <acronym>ACL</acronym>s.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -1734,7 +1734,7 @@ kadmind5_server_enable="YES"</programlisting>
not have a mechanism to authenticate the not have a mechanism to authenticate the
<acronym>KDC</acronym> to the users, hosts or services. <acronym>KDC</acronym> to the users, hosts or services.
This means that a trojanned &man.kinit.1; could record all This means that a trojanned &man.kinit.1; could record all
user names and passwords. Filesystem integrity checking user names and passwords. File system integrity checking
tools like <package>security/tripwire</package> can tools like <package>security/tripwire</package> can
alleviate this.</para> alleviate this.</para>
</sect3> </sect3>
@ -2927,8 +2927,7 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<sect1 xml:id="fs-acl"> <sect1 xml:id="fs-acl">
<info> <info>
<title>Filesystem Access Control Lists <title>Access Control Lists</title>
(<acronym>ACL</acronym>)s</title>
<authorgroup> <authorgroup>
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
@ -2940,10 +2939,10 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<primary>ACL</primary> <primary>ACL</primary>
</indexterm> </indexterm>
<para>Filesystem Access Control Lists (<acronym>ACL</acronym>s) <para>Access Control Lists (<acronym>ACL</acronym>s)
extend the standard &unix; permission model in a &posix;.1e extend the standard &unix; permission model in a &posix;.1e
compatible way. This permits an administrator to make use of compatible way. This permits an administrator to
and take advantage of a more sophisticated security take advantage of a more fine-grained permissions
model.</para> model.</para>
<para>The &os; <filename>GENERIC</filename> kernel provides <para>The &os; <filename>GENERIC</filename> kernel provides
@ -2955,58 +2954,56 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<programlisting>options UFS_ACL</programlisting> <programlisting>options UFS_ACL</programlisting>
<para>If this option is not compiled in, a warning message will be <para>If this option is not compiled in, a warning message will be
displayed when attempting to mount a filesystem supporting displayed when attempting to mount a file system with
<acronym>ACL</acronym>s. <acronym>ACL</acronym>s rely on <acronym>ACL</acronym> support. <acronym>ACL</acronym>s rely on
extended attributes being enabled on the filesystem. Extended extended attributes which
attributes are natively supported in are natively supported in
<acronym>UFS2</acronym>.</para> <acronym>UFS2</acronym>.</para>
<note> <para>This chapter describes how to enable
<para>A higher level of administrative overhead is required to <acronym>ACL</acronym> support and provides some usage
configure extended attributes on <acronym>UFS1</acronym> examples.</para>
than on <acronym>UFS2</acronym>. The performance of
extended attributes on <acronym>UFS2</acronym> is also <sect2>
substantially higher. As a result, <acronym>UFS2</acronym> <title>Enabling <acronym>ACL</acronym> Support</title>
is recommended for use with <acronym>ACL</acronym>s.</para>
</note>
<para><acronym>ACL</acronym>s are enabled by the mount-time <para><acronym>ACL</acronym>s are enabled by the mount-time
administrative flag, <option>acls</option>, which may be added administrative flag, <option>acls</option>, which may be added
to <filename>/etc/fstab</filename>. The mount-time flag can to <filename>/etc/fstab</filename>. The mount-time flag can
also be automatically set in a persistent manner using also be automatically set in a persistent manner using
&man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s &man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
flag in the filesystem header. In general, it is preferred flag in the file system header. In general, it is preferred
to use the superblock flag for several reasons:</para> to use the superblock flag for several reasons:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The mount-time <acronym>ACL</acronym>s flag cannot be <para>The superblock flag cannot be
changed by a remount using <option>mount -u</option>. It changed by a remount using <option>mount -u</option> as it
requires a complete &man.umount.8; and fresh &man.mount.8;. requires a complete <command>umount</command> and fresh <command>mount</command>.
This means that <acronym>ACL</acronym>s cannot be enabled on This means that <acronym>ACL</acronym>s cannot be enabled on
the root filesystem after boot. It also means that the the root file system after boot. It also means that
disposition of a filesystem cannot be changed once it is in <acronym>ACL</acronym> support on
a file system cannot be changed while the system is in
use.</para> use.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Setting the superblock flag will cause the filesystem <para>Setting the superblock flag causes the file system
to always be mounted with <acronym>ACL</acronym>s enabled, to always be mounted with <acronym>ACL</acronym>s enabled,
even if there is not an <filename>fstab</filename> entry even if there is not an <filename>fstab</filename> entry
or if the devices re-order. This prevents accidental or if the devices re-order. This prevents accidental
mounting of the filesystem without <acronym>ACL</acronym>s mounting of the file system without <acronym>ACL</acronym>
enabled, which can result in the security problem of support.</para>
<acronym>ACL</acronym>s being improperly enforced.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note> <note>
<para>It is desirable to discourage accidental mounting without <para>It is desirable to discourage accidental mounting without
<acronym>ACL</acronym>s enabled, because nasty things can <acronym>ACL</acronym>s enabled because nasty things can
happen if <acronym>ACL</acronym>s are enabled, then disabled, happen if <acronym>ACL</acronym>s are enabled, then disabled,
then re-enabled without flushing the extended attributes. In then re-enabled without flushing the extended attributes. In
general, once <acronym>ACL</acronym>s are enabled on a general, once <acronym>ACL</acronym>s are enabled on a
filesystem, they should not be disabled, as the resulting file file system, they should not be disabled, as the resulting file
protections may not be compatible with those intended by the protections may not be compatible with those intended by the
users of the system, and re-enabling <acronym>ACL</acronym>s users of the system, and re-enabling <acronym>ACL</acronym>s
may re-attach the previous <acronym>ACL</acronym>s to files may re-attach the previous <acronym>ACL</acronym>s to files
@ -3014,9 +3011,9 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
unpredictable behavior.</para> unpredictable behavior.</para>
</note> </note>
<para>Filesystems with <acronym>ACL</acronym>s enabled will <para>File systems with <acronym>ACL</acronym>s enabled will
show a <literal>+</literal> (plus) sign in their permission show a plus (<literal>+</literal>) sign in their permission
settings when viewed. For example:</para> settings:</para>
<programlisting>drwx------ 2 robert robert 512 Dec 27 11:54 private <programlisting>drwx------ 2 robert robert 512 Dec 27 11:54 private
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1 drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
@ -3031,12 +3028,13 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
are all taking advantage of <acronym>ACL</acronym>s, whereas are all taking advantage of <acronym>ACL</acronym>s, whereas
<filename>public_html</filename> <filename>public_html</filename>
is not.</para> is not.</para>
</sect2>
<sect2> <sect2>
<title>Making Use of <acronym>ACL</acronym>s</title> <title>Using <acronym>ACL</acronym>s</title>
<para>Filesystem <acronym>ACL</acronym>s can be viewed using <para>File system <acronym>ACL</acronym>s can be viewed using
&man.getfacl.1;. For instance, to view the <command>getfacl</command>. For instance, to view the
<acronym>ACL</acronym> settings on <acronym>ACL</acronym> settings on
<filename>test</filename>:</para> <filename>test</filename>:</para>
@ -3049,25 +3047,29 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
other::r--</screen> other::r--</screen>
<para>To change the <acronym>ACL</acronym> settings on this <para>To change the <acronym>ACL</acronym> settings on this
file, use &man.setfacl.1;:</para> file, use <command>setfacl</command>. To remove all of the currently defined
<acronym>ACL</acronym>s from a file or file system, include
<screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
<para>To remove all of the currently defined
<acronym>ACL</acronym>s from a file or filesystem, one can use
<option>-k</option>. However, the preferred method is to use <option>-k</option>. However, the preferred method is to use
<option>-b</option> as it leaves the basic fields required <option>-b</option> as it leaves the basic fields required
for <acronym>ACL</acronym>s to work.</para> for <acronym>ACL</acronym>s to work.</para>
<screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
<para>To modify the default <acronym>ACL</acronym> entries, use
<option>-m</option>:</para>
<screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen> <screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
<para>In this example, <option>-m</option> is used to modify the <para>In this example, there were no
default <acronym>ACL</acronym> entries. Since there were no
pre-defined entries, as they were removed by the previous pre-defined entries, as they were removed by the previous
command, it restores the default options and assign the command. This command restores the default options and assigns the
options listed. If a user or group is added which does not options listed. If a user or group is added which does not
exist on the system, an <errorname>Invalid exist on the system, an <errorname>Invalid
argument</errorname> error will be displayed.</para> argument</errorname> error will be displayed.</para>
<para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
information about the options available for these
commands.</para>
</sect2> </sect2>
</sect1> </sect1>