MacOS X 10.4 (Tiger) + ACL(Access Control List)
はじめに
UNIXUSER 7月号に、 MacOSX 10.4 で ACL(Access Control List)を使った例がありました。 いまいち分かりにくい例だったので、自分でやってみました。chmod の man を参考にしました。
ACLを有効にする
ACLを有効にするには、Terminal上からfsaclctl コマンドを実行します。 その前に、ヘルプとバージョンを見る。ibg4:~ kenz$ sudo /usr/sbin/fsaclctl Password: usage: fsaclctl -p path | -a [-e enable] [-d disable] [-v] -p path to filesystem mount point -a operate on all relevant volumes -e enable access control lists on this filesystem -d disable access control lists on this filesystem -v print version ibg4:~ kenz$ ibg4:~ kenz$ sudo /usr/sbin/fsaclctl -v fsaclctl version 1.1 ibg4:~ kenz$で本番。ibg4:~ kenz$ sudo /usr/sbin/fsaclctl -p / -e Password: ibg4:~ kenz$すぐ終わる。
ACLを利用
UNIXは元々パーミッションでアクセス制御してきました。 ACLとパーミッションの関係は、ACLが優先されるようです。 今回は、root が作成したファイルに対して、 本来書き込み権限を持たない kenz というユーザが書き込みできるように、 ACL を使用します。ibg4:/var/tmp/test root# pwd /var/tmp/test ibg4:/var/tmp/test root# ls -la total 0 drwxr-xr-x 2 root wheel 68 Jul 2 22:51 . drwxrwxrwt 18 root wheel 612 Jul 2 22:51 .. ibg4:/var/tmp/test root# echo "hoge" > hoge.txt ibg4:/var/tmp/test root# ls -le total 8 -rw-r--r-- 1 root wheel 5 Jul 2 22:51 hoge.txt ibg4:/var/tmp/test root#644 なので、書き込みできるのは root だけのはず。 ls コマンドの e オプションは、ACL情報を表示させるもの。ibg4:~ kenz$ id uid=501(kenz) gid=501(kenz) groups=501(kenz), 81(appserveradm), 79(appserverusr), 80(admin) ibg4:~ kenz$ ibg4:~ kenz$ echo "hogehoge" >> /var/tmp/test/hoge.txt -bash: /var/tmp/test/hoge.txt: Permission denied ibg4:~ kenz$ ibg4:~ kenz$ cat /var/tmp/test/hoge.txt hoge ibg4:~ kenz$このように kenz は、読み取りはできますが、書き込みはできません。root が、chmod して kenz に書き込み権限を与えるコマンドが以下の通り。
ibg4:/var/tmp/test root# chmod +a "kenz allow write" hoge.txt ibg4:/var/tmp/test root# ls -le total 8 -rw-r--r-- + 1 root wheel 5 Jul 2 22:51 hoge.txt 0: user:kenz allow write ibg4:/var/tmp/test root#ls -le すると、ACL が表示されます。この状態で、kenz がこのファイルに書き込んでみましょう。
ibg4:~ kenz$ echo "hogehoge" >> /var/tmp/test/hoge.txt ibg4:~ kenz$ cat /var/tmp/test/hoge.txt hoge hogehoge ibg4:~ kenz$ということで、できる。kenz は、パーミッション上では書き込みできないはずが、 ACL の効果で書き込みできました。
なるほど
Windowsからの利用
と思ったら、「できない」という Tech Info Library が載っていました。TIL: Mac OS X Server 10.4: Windows ユーザはサーバ上の ACL アクセス許可を変更できない
へ?だってACLの紹介ページではできるって言っているじゃん。
http://www.apple.com/jp/server/macosx/features/windowsservices.html
chmodのman
chmodのmanの中で、aclについて説明しているところ。
ACL MANIPULATION OPTIONS
ACLs are manipulated using extensions to the symbolic mode grammar. Each
file has one ACL, containing an ordered list of entries. Each entry
refers to a user or group, and grants or denies a set of permissions.
The following permissions are applicable to all filesystem objects:
delete Delete the item. Deletion may be granted by either this
permission on an object or the delete_child right on the
containing directory.
readattr
Read an objects basic attributes. This is implicitly
granted if the object can be looked up and not explicitly
denied.
writeattr
Write an object's basic attributes.
readextattr
Read extended attributes.
writeextattr
Write extended attributes.
readsecurity
Read an object's extended security information (ACL).
writesecurity
Write an object's security information (ownership, mode,
ACL).
chown Change an object's ownership.
The following permissions are applicable to directories:
list List entries.
search Look up files by name.
add_file
Add a file.
add_subdirectory
Add a subdirectory.
delete_child
Delete a contained object. See the file delete permission
above.
The following permissions are applicable to non-directory filesystem
objects:
read Open for reading.
write Open for writing.
append Open for writing, but in a fashion that only allows writes
into areas of the file not previously written.
execute
Execute the file as a script or program.
ACL inheritance is controlled with the following permissions words, which
may only be applied to directories:
file_inherit
Inherit to files.
directory_inherit
Inherit to directories.
limit_inherit
This flag is only relevant to entries inherited by subdi-
rectories; it causes the directory_inherit flag to be
cleared in the entry that is inherited, preventing further
nested subdirectories from also inheriting the entry.
only_inherit
The entry is inherited by created items but not considered
when processing the ACL.
The ACL manipulation options are as follows:
+a The +a mode parses a new ACL entry from the next argument on the
commandline and inserts it into the canonical location in the
ACL. If the supplied entry refers to an identity already listed,
the two entries are combined.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
# chmod +a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write
# chmod +a "guest deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a "admin allow delete" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
The +a mode strives to maintain correct canonical form for the
ACL.
local deny
local allow
inherited deny
inherited allow
By default, chmod adds entries to the top of the local deny and
local allow lists. Inherited entries are added by using the +ai
mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
+a# When a specific ordering is required, the exact location at which
an entry will be inserted is specified with the +a# mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write
# chmod +a# 2 "others deny read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: others deny read
3: admin allow write
The +ai# mode may be used to insert inherited entries at a spe-
cific location. Note that these modes allow non-canonical ACL
ordering to be constructed.
-a The -a mode is used to delete ACL entries. All entries exactly
matching the supplied entry will be deleted. If the entry lists a
subset of rights granted by an entry, only the rights listed are
removed. Entries may also be deleted by index using the -a# mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
# chmod -a# 1 file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,delete
# chmod -a "admin allow write" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
Inheritance is not considered when processing the -a mode; rights
and entries will be removed regardless of their inherited state.
=a# Individual entries are rewritten using the =a# mode.
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow delete
# chmod =a# 1 "admin allow write,chown"
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: admin allow write,chown
This mode may not be used to add new entries.
-E Reads the ACL information from stdin, as a sequential list of
ACEs, separated by newlines. If the information parses cor-
rectly, the existing information is replaced.
-C Returns false if any of the named files have ACLs in non-canoni-
cal order.
-i Removes the 'inherited' bit from all entries in the named file(s)
ACLs.
-I Removes all inherited entries from the named file(s) ACL(s).