Date: Mon, 21 Oct 1996 18:44:16 -0700 From: Cy Schubert <cy@cwsys.cwent.com> To: Wes Peters <softweyr@xmission.com> Cc: Jerry Kelley <jerryk@iquest.net>, security@FreeBSD.ORG Subject: Re: Any FreeBSD security topics of interest? Message-ID: <199610220144.SAA00894@cwsys.cwent.com> In-Reply-To: Your message of "Sun, 20 Oct 1996 11:16:12 MDT." <199610201716.LAA04095@obie.softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Jerry Kelley writes:
[...]
>
> ACLs have a lot of potential for clearing up some sticky
> administration problems in UNIX. Many of the setuid programs we worry
> about could be more carefully restricted with carefully applied ACLs,
> and many of the tasks that you have to 'su' to do today could be
> ACL'ed and setuid so that specific groups or individuals could perform
> them without needing to su.
I and my team have been using ACL's on the Solaris 2.5 and 2.5.1
boxes for quite some time. They've been lifesavers. We've been able
to delegate management of the SNA software on one of the Solaris
boxes we manage to the DB2 DBA team using a combination of ACL's and
sudo. This would be handy addition to FreeBSD as well.
Solaris uses two comma
nds to manage ACL's, setfacl and getfacl. The
ls -l listing has also changed to add a + to the permissions to
indicate that ACL's are in use, e.g.,
-rw-r--r--+ 1 root other 137 Oct 11 11:18 foo
If we do a getfacl foo we get,
# file: foo
# owner: root
# group: other
user::rw-
group::r-- #effective:r--
group:sna:rw- #effective:rw-
mask:rwx
other:r--
This in turn can be used as input on a setfacl command, e.g.,
getfacl foo | setfacl -f - foobar
Regards, Phone: (250)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
ITSD Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610220144.SAA00894>