252 lines
11 KiB
HTML
252 lines
11 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3E.d">
|
|
<TITLE>The Answer Gang 57: ACLs on Linux</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<P> <hr>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Gang</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
LinuxCare,
|
|
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 7 -->
|
|
<H3 align="left"><img src="../../gx/dennis/bbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>ACLs on Linux</H3>
|
|
|
|
<p><strong>In reply to Ivan Sergio Borgonovo on the SVLUG list</strong><p>
|
|
<p align="right">Answered By: Rick Moen</p>
|
|
<BLOCKQUOTE>
|
|
I thought you might be interested in the thing that follows, because
|
|
of what I've heard you say in the past about capabilities models.
|
|
</BLOCKQUOTE>
|
|
<p><em>Jim Dennis has been quite verbose about the difference between the
|
|
current Linux privileges model and true capabilities systems like
|
|
EROS (<a href="http://www.eros-os.org/">eros-os.org</a>).
|
|
-- Heather</em></p>
|
|
<p><strong><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
A guy posting to the SVLUG list from Italy, Ivan Sergio Borgonovo,
|
|
asked whether there were any general summaries of ACLs on Linux.
|
|
</strong></p>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
I looked around, was astonished to find that there weren't any, and
|
|
decided to write one. It follows <TT>--</TT> used within <A HREF="http://www.valinux.com/">VA Linux</A>'s
|
|
Knowledgebase, now, but I see no reason it can't be used anywhere
|
|
else, as well. I hope you'll find it of interest.
|
|
</BLOCKQUOTE>
|
|
<p><em>And so, it's posted here for all of you, dear readers.
|
|
-- Heather</em></p>
|
|
<p><strong><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Q: Is there support for ACLs (Access Control Lists) in Linux?
|
|
</strong></p>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
A: Yes, there is <TT>--</TT> from multiple development projects, with divergent
|
|
approaches, all aiming to allow the administrator some means of
|
|
specifying what capabilities a process is to be allowed, and other
|
|
fine-grained permissions (including Mandatory Access Control labels,
|
|
Capabilities, and auditing information). At this time (August 2000), all
|
|
require modifications (third-party, unofficial kernel patches) to the
|
|
Linux kernel's filesystem and VFS code (umask and access-control
|
|
modifications), which sometimes take a while to catch up with new kernel
|
|
releases. The kernel maintainers have not endorsed any one approach.
|
|
Thus, implementing any of these approaches remains an advanced topic
|
|
using experimental code.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Further, there is not broad agreement on what filesystem it is best to
|
|
use with ACLs. The obvious choices are ext2 + extended-attributes
|
|
extensions, Steven Tweedie's ext3
|
|
(<A HREF="ftp://ftp.linux.org.uk/pub/linux/sct/fs/jfs"
|
|
>ftp://ftp.linux.org.uk/pub/linux/sct/fs/jfs</A>), the AFS implementations
|
|
from IBM/Transarc (<A HREF="http://www.transarc.com/Product/EFS/AFS"
|
|
>http://www.transarc.com/Product/EFS/AFS</A>) or the Arla
|
|
Project (<A HREF="http://www.stacken.kth.se/projekt/arla"
|
|
>http://www.stacken.kth.se/projekt/arla</A>), GFS
|
|
(<A HREF="http://www.globalfilesystem.org"
|
|
>http://www.globalfilesystem.org</A>), or ReiserFS
|
|
(<A HREF="http://devlinux.com/projects/reiserfs"
|
|
>http://devlinux.com/projects/reiserfs</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Adding further confusion is that the leading candidate for an ACL
|
|
standard, IEEE Std 1003.1e, was withdrawn by the IEEE/PASC/SEC working
|
|
group while it was still a draft, on Jan. 15, 1998, and thus was never
|
|
formally included in POSIX (<A HREF="http://www.guug.de/~winni/posix.1e"
|
|
>http://www.guug.de/~winni/posix.1e</A>). It
|
|
nonetheless remains influential.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Generic "capabilities" support is included in 2.2 and greater kernels,
|
|
including a control in <TT>/proc</TT> called the "capabilities bounding set".
|
|
Many "capabilities" operations will also require libcap, a library for
|
|
getting and setting POSIX 1003.1e-type capabilities, which you can find at
|
|
<A HREF="ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2"
|
|
>ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2</A> .
|
|
See also the Linux Kernel Capabilities FAQ:
|
|
<A HREF="ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt"
|
|
>ftp://ftp.de.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt</A>
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The VFS patches, filesystems extensions or other filesystem facilities
|
|
to store ACLs, patches for fsck utilities (preventing them from
|
|
"cleaning up" your extended attributes), patches for GNU fileutils,
|
|
patches for the quota tools, and administrative tools must be provided
|
|
by the various unofficial ACL-on-Linux projects, of which there are
|
|
several.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
In addition to applying any applicable patches to your kernel, you will
|
|
have to enable three kernel-configuration options (all in the
|
|
"filesystems" section): "Extended filesystem attributes"
|
|
(CONFIG_FS_EXT_ATTR), "Access Control Lists" (CONFIG_FS_POSIX_ACL) and
|
|
"Extended attributes for ext2" (CONFIG_EXT2_FS_EXT_ATTR). In order to be
|
|
offered these configuration options, you must also select "Prompt for
|
|
development and/or incomplete code/drivers" (CONFIG_EXPERIMENTAL) in the
|
|
code-maturity level options, towards the beginning of kernel
|
|
configuration.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The AFS distributed storage system, originally developed at CMU,
|
|
generically has built-in support for ACLs. As such, it seems reasonable
|
|
to suspect that IBM/Transarc's leading AFS implementation on Linux, due
|
|
to have an open-source (GPLed) development fork on the near future,
|
|
would include ACL support. We have been unable to confirm that from
|
|
Transarc's documentation, thus far. This may change as Transarc
|
|
completes its open-source rollout.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The pre-existing Linux AFS project, the Arla Project, has reportedly
|
|
been moving slowly. The quality of its ACL support is likewise unknown.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The existing documentation for AFS on Linux, unfortunately, makes no
|
|
mention of ACLs or capabilities support:
|
|
<A HREF="http://www.rzuser.uni-heidelberg.de/~x42/linuxafs/linuxafs.html"
|
|
>http://www.rzuser.uni-heidelberg.de/~x42/linuxafs/linuxafs.html</A>
|
|
<A HREF="http://web.urz.uni-heidelberg.de/Veranstaltungen/LUG/Vortraege/AFS/AFS-HOWTO.html"
|
|
>http://web.urz.uni-heidelberg.de/Veranstaltungen/LUG/Vortraege/AFS/AFS-HOWTO.html</A>
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There have been two main attempts to implement POSIX ACLs on ext2 +
|
|
extensions. One was the LiVE Project, at
|
|
<A HREF="http://aerobee.informatik.uni-bremen.de/acl_eng.html"
|
|
>http://aerobee.informatik.uni-bremen.de/acl_eng.html</A> . That effort
|
|
appears to be now defunct.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The other, and probably your best bet for ACLs on Linux today, is
|
|
Andreas Gruenbacher's Linux ACLs project, <A HREF="http://acl.bestbits.at"
|
|
>http://acl.bestbits.at</A> .
|
|
Gruenbacher has a well-developed ACL implementation with storage
|
|
extensions for ext2, linking the extended attributes to inodes, and with
|
|
ACLs among the data storable in those extended attributes. He expects
|
|
that porting his subsystem to ext3 will be easy.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The Samba Project favours/encourages Gruenbacher's approach, and aims
|
|
for Samba to directly support POSIX ACLs on Linux if they are ever
|
|
incorporated into the standard Linux kernel source tree:
|
|
<A HREF="http://info.ccone.at/INF"
|
|
>http://info.ccone.at/INF</A> (<A HREF="http://www.inter-mezzo.org"
|
|
>http://www.inter-mezzo.org</A>) in the near
|
|
future implementing extended attributes similar to Gruenbacher's, making
|
|
future ACL support on that filesystem (which is still in early beta)
|
|
likely.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The LIDS Project (<A HREF="http://www.lids.org"
|
|
>http://www.lids.org</A>) implements some "capabilities"
|
|
ideas, but not ACLs.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Last, Pavel Machek maintains an "ELF capabilities" kernel patch and
|
|
matching utilities, which allow the admin to strip specified
|
|
capabilities from binary executables at execution time. It does not
|
|
provide other ACL-type capabilities. The information on what
|
|
capabilities to drop for a given binary upon execution is stored inside
|
|
the ELF header, in a manner compatible with ordinary Linux operation.
|
|
The advantage to this approach is that it does not require
|
|
extended-attributes support in the underlying filesystem. Full details
|
|
are at <A HREF="http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html"
|
|
>http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html</A> .
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- end 7 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> </p>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2000, James T. Dennis
|
|
<BR>Published in the <I>Linux Gazette</I> Issue 57 September 2000</H5>
|
|
<H6 ALIGN="center">HTML transformation by
|
|
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
|
|
Tuxtops, Inc.,
|
|
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
|
|
</H6>
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0">
|
|
<A HREF="../lg_answer57.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer57.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A></td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A>
|
|
<IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|