Index syndication
comment syndication

Solaris Access Control Lists

August 6, 2007 at 14:48 · Filed under unix

A quick lesson (for my own benefit as much as yours) in applying Access Control Lists (ACL) on files and directories under Solaris (in this case Solaris 9).

To allow group “somegroup” read only access to a folder recursively, you need to set the ACL on EVERY directory and file. This is due to the fact that the Solaris setfacl command does not have a recursive option (do not confuse -r with recurse).

To start you change to your parent folder, and then apply the ACL to the top level fodler you want the group to have read access to. The -r switch is to recalculate the ACL mask, and the -m allows you to modify existing permissions to add this ACL.

$ cd /apps/folder
$ setfacl -r -m group:somegroup:r-x application_folder
$ getfacl application_folder
# file: application_folder
# owner: user123
# group: groupxyz
group::rwx #effective:rwx
group:somegroup:r-x #effective:r-x

As you can see, the “somegroup” group now has access to this folder. You MUST give read AND execute permissions however, as without execute on the directories, the users of “somegroup” cannot cd to any given folder. Lastly due to not having a recursive switch, you need to set r-x on each sub directory on our application, and r-- on each sub file. Two methods are shown below, and both are just as effective.

  • method 1

    $ cd /apps/folder/application_folder
    $ find . -type d -exec setfacl -r -m group:somegroup:r-x {} \;
    $ find . -type f -exec setfacl -r -m group:somegroup:r-- {} \;
  • method 2

    $ cd /apps/folder/application_folder
    $ for i in `find . -type d`; do setfacl -r -m \
    group:somegroup:r-x $i; done
    $ for i in `find . -type f`; do setfacl -r -m \
    group:somegroup:r-- $i; done

Leave a Comment