Information Technology Reference
In-Depth Information
The
-d
command-line argument is used to delete ACL entries. The remain-
der of the mask and file command-line arguments are identical to those used
with the
-s
and
-m
command-line arguments.
Displaying ACLs Using getfacl
The ACLs for a file or directory can be displayed using the
getfacl
com-
mand. The following listing displays the ACLs for the
shlog
directory using
the
getfacl
command:
# getfacl shlog
# file: shlog
# owner: shlog
# group: staff
user::rwx
group::r-x #effective:r-x
mask:r-x
other:r-x
default:user::rw-
default:group::rw-
default:mask:r--
default:other:r--
#
When using the long version of the
ls
command, files that have ACLs are shown
with a
+
after the standard permissions, as with
file3
in the following example:
# ls -l
total 2
drwxrwxrwt 2 ambro other 512 Jul 24 13:49 dir1
-rwsrwxr-x 1 ambro other 1112 Jul 24 13:53 file1
lrwxrwsr-x 1 ambro other 1112 Jul 24 13:53 file2
-rwxrwlrwx+ 1 ambro other 1112 Jul 24 13:53 file3
Purpose of Role-Based Access
Control
In the past, Unix and Solaris system administration has been performed
using the root superuser account or a user account that's granted superuser
privileges. Even if access to only a few privileged operations or commands
were needed to perform a task, the user account was granted complete con-
trol over the system. This all-or-nothing approach to system administration
has always been a security issue. Role-Based Access Control (RBAC)
addresses this issue.
The RBAC subsystem supports the concept of a special type of user account
called a
role
. Roles are granted a set of superuser privileges to perform some