LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue57/tag/7.html

252 lines
11 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3E.d">
<TITLE>The Answer Gang 57: ACLs on Linux</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P> <hr>
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Gang</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
LinuxCare,
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
</H4>
</center>
<p><hr><p>
<!-- endcut ======================================================= -->
<!-- begin 7 -->
<H3 align="left"><img src="../../gx/dennis/bbubble.gif"
height="50" width="60" alt="(?) " border="0"
>ACLs on Linux</H3>
<p><strong>In reply to Ivan Sergio Borgonovo on the SVLUG list</strong><p>
<p align="right">Answered By: Rick Moen</p>
<BLOCKQUOTE>
I thought you might be interested in the thing that follows, because
of what I've heard you say in the past about capabilities models.
</BLOCKQUOTE>
<p><em>Jim Dennis has been quite verbose about the difference between the
current Linux privileges model and true capabilities systems like
EROS (<a href="http://www.eros-os.org/">eros-os.org</a>).
-- Heather</em></p>
<p><strong><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
A guy posting to the SVLUG list from Italy, Ivan Sergio Borgonovo,
asked whether there were any general summaries of ACLs on Linux.
</strong></p>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
I looked around, was astonished to find that there weren't any, and
decided to write one. It follows <TT>--</TT> used within <A HREF="http://www.valinux.com/">VA Linux</A>'s
Knowledgebase, now, but I see no reason it can't be used anywhere
else, as well. I hope you'll find it of interest.
</BLOCKQUOTE>
<p><em>And so, it's posted here for all of you, dear readers.
-- Heather</em></p>
<p><strong><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Q: Is there support for ACLs (Access Control Lists) in Linux?
</strong></p>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
A: Yes, there is <TT>--</TT> from multiple development projects, with divergent
approaches, all aiming to allow the administrator some means of
specifying what capabilities a process is to be allowed, and other
fine-grained permissions (including Mandatory Access Control labels,
Capabilities, and auditing information). At this time (August 2000), all
require modifications (third-party, unofficial kernel patches) to the
Linux kernel's filesystem and VFS code (umask and access-control
modifications), which sometimes take a while to catch up with new kernel
releases. The kernel maintainers have not endorsed any one approach.
Thus, implementing any of these approaches remains an advanced topic
using experimental code.
</BLOCKQUOTE>
<BLOCKQUOTE>
Further, there is not broad agreement on what filesystem it is best to
use with ACLs. The obvious choices are ext2 + extended-attributes
extensions, Steven Tweedie's ext3
(<A HREF="ftp://ftp.linux.org.uk/pub/linux/sct/fs/jfs"
>ftp://ftp.linux.org.uk/pub/linux/sct/fs/jfs</A>), the AFS implementations
from IBM/Transarc (<A HREF="http://www.transarc.com/Product/EFS/AFS"
>http://www.transarc.com/Product/EFS/AFS</A>) or the Arla
Project (<A HREF="http://www.stacken.kth.se/projekt/arla"
>http://www.stacken.kth.se/projekt/arla</A>), GFS
(<A HREF="http://www.globalfilesystem.org"
>http://www.globalfilesystem.org</A>), or ReiserFS
(<A HREF="http://devlinux.com/projects/reiserfs"
>http://devlinux.com/projects/reiserfs</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
Adding further confusion is that the leading candidate for an ACL
standard, IEEE Std 1003.1e, was withdrawn by the IEEE/PASC/SEC working
group while it was still a draft, on Jan. 15, 1998, and thus was never
formally included in POSIX (<A HREF="http://www.guug.de/~winni/posix.1e"
>http://www.guug.de/~winni/posix.1e</A>). It
nonetheless remains influential.
</BLOCKQUOTE>
<BLOCKQUOTE>
Generic "capabilities" support is included in 2.2 and greater kernels,
including a control in <TT>/proc</TT> called the "capabilities bounding set".
Many "capabilities" operations will also require libcap, a library for
getting and setting POSIX 1003.1e-type capabilities, which you can find at
<A HREF="ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2"
>ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2</A> .
See also the Linux Kernel Capabilities FAQ:
<A HREF="ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt"
>ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt</A>
</BLOCKQUOTE>
<BLOCKQUOTE>
The VFS patches, filesystems extensions or other filesystem facilities
to store ACLs, patches for fsck utilities (preventing them from
"cleaning up" your extended attributes), patches for GNU fileutils,
patches for the quota tools, and administrative tools must be provided
by the various unofficial ACL-on-Linux projects, of which there are
several.
</BLOCKQUOTE>
<BLOCKQUOTE>
In addition to applying any applicable patches to your kernel, you will
have to enable three kernel-configuration options (all in the
"filesystems" section): "Extended filesystem attributes"
(CONFIG_FS_EXT_ATTR), "Access Control Lists" (CONFIG_FS_POSIX_ACL) and
"Extended attributes for ext2" (CONFIG_EXT2_FS_EXT_ATTR). In order to be
offered these configuration options, you must also select "Prompt for
development and/or incomplete code/drivers" (CONFIG_EXPERIMENTAL) in the
code-maturity level options, towards the beginning of kernel
configuration.
</BLOCKQUOTE>
<BLOCKQUOTE>
The AFS distributed storage system, originally developed at CMU,
generically has built-in support for ACLs. As such, it seems reasonable
to suspect that IBM/Transarc's leading AFS implementation on Linux, due
to have an open-source (GPLed) development fork on the near future,
would include ACL support. We have been unable to confirm that from
Transarc's documentation, thus far. This may change as Transarc
completes its open-source rollout.
</BLOCKQUOTE>
<BLOCKQUOTE>
The pre-existing Linux AFS project, the Arla Project, has reportedly
been moving slowly. The quality of its ACL support is likewise unknown.
</BLOCKQUOTE>
<BLOCKQUOTE>
The existing documentation for AFS on Linux, unfortunately, makes no
mention of ACLs or capabilities support:
<A HREF="http://www.rzuser.uni-heidelberg.de/~x42/linuxafs/linuxafs.html"
>http://www.rzuser.uni-heidelberg.de/~x42/linuxafs/linuxafs.html</A>
<A HREF="http://web.urz.uni-heidelberg.de/Veranstaltungen/LUG/Vortraege/AFS/AFS-HOWTO.html"
>http://web.urz.uni-heidelberg.de/Veranstaltungen/LUG/Vortraege/AFS/AFS-HOWTO.html</A>
</BLOCKQUOTE>
<BLOCKQUOTE>
There have been two main attempts to implement POSIX ACLs on ext2 +
extensions. One was the LiVE Project, at
<A HREF="http://aerobee.informatik.uni-bremen.de/acl_eng.html"
>http://aerobee.informatik.uni-bremen.de/acl_eng.html</A> . That effort
appears to be now defunct.
</BLOCKQUOTE>
<BLOCKQUOTE>
The other, and probably your best bet for ACLs on Linux today, is
Andreas Gruenbacher's Linux ACLs project, <A HREF="http://acl.bestbits.at"
>http://acl.bestbits.at</A> .
Gruenbacher has a well-developed ACL implementation with storage
extensions for ext2, linking the extended attributes to inodes, and with
ACLs among the data storable in those extended attributes. He expects
that porting his subsystem to ext3 will be easy.
</BLOCKQUOTE>
<BLOCKQUOTE>
The Samba Project favours/encourages Gruenbacher's approach, and aims
for Samba to directly support POSIX ACLs on Linux if they are ever
incorporated into the standard Linux kernel source tree:
<A HREF="http://info.ccone.at/INF"
>http://info.ccone.at/INF</A> (<A HREF="http://www.inter-mezzo.org"
>http://www.inter-mezzo.org</A>) in the near
future implementing extended attributes similar to Gruenbacher's, making
future ACL support on that filesystem (which is still in early beta)
likely.
</BLOCKQUOTE>
<BLOCKQUOTE>
The LIDS Project (<A HREF="http://www.lids.org"
>http://www.lids.org</A>) implements some "capabilities"
ideas, but not ACLs.
</BLOCKQUOTE>
<BLOCKQUOTE>
Last, Pavel Machek maintains an "ELF capabilities" kernel patch and
matching utilities, which allow the admin to strip specified
capabilities from binary executables at execution time. It does not
provide other ACL-type capabilities. The information on what
capabilities to drop for a given binary upon execution is stored inside
the ELF header, in a manner compatible with ordinary Linux operation.
The advantage to this approach is that it does not require
extended-attributes support in the underlying filesystem. Full details
are at <A HREF="http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html"
>http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html</A> .
</BLOCKQUOTE>
<!-- end 7 -->
<!--startcut ======================================================= -->
<P> <hr> </p>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 2000, James T. Dennis
<BR>Published in the <I>Linux Gazette</I> Issue 57 September 2000</H5>
<H6 ALIGN="center">HTML transformation by
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
Tuxtops, Inc.,
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
</H6>
<P> <hr>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0">
<A HREF="../lg_answer57.html"
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer57.html#greeting"><img align="middle"
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
<A HREF="1.html">1</A> &nbsp;
<A HREF="2.html">2</A> &nbsp;
<A HREF="3.html">3</A> &nbsp;
<A HREF="4.html">4</A> &nbsp;
<A HREF="5.html">5</A> &nbsp;
<A HREF="6.html">6</A> &nbsp;
<A HREF="7.html">7</A></td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
ALT="[ Index of Past Answers ]" border="0"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr>
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink