全部博文(68)
分类: BSD
2005-05-18 12:36:28
File System Access Control Lists
Contributed by Tom Rhodes and Pat GUO.
In conjunction with file system enhancements like snapshots, FreeBSD 5.0 and later offers the security of File System Access Control Lists (ACLs).
Access Control Lists extend the standard UNIX® permission model in a highly compatible (POSIX®.1e) way. This feature permits an administrator to make use of and take advantage of a more sophisticated security model.
To enable ACL support for UFS file systems, the following:
options UFS_ACL
must be compiled into the kernel. If this option has not been compiled in, a warning message will be displayed when attempting to mount a file system supporting ACLs. This option is included in the GENERIC kernel. ACLs rely on extended attributes being enabled on the file system. Extended attributes are natively supported in the next generation UNIX file system, UFS2.
Note: A higher level of administrative overhead is required to configure extended attributes on UFS1 than on UFS2. The performance of extended attributes on UFS2 is also substantially higher. As a result, UFS2 is generally recommended in preference to UFS1 for use with access control lists.
ACLs are enabled by the mount-time administrative flag, acls, which may be added to /etc/fstab. The mount-time flag can also be automatically set in a persistent manner using tunefs(8) to modify a superblock -u), only by means of a complete and fresh . This means that ACLs cannot be enabled on the root file system after boot. It also means that you cannot change the disposition of a file system once it is in use.
Setting the superblock flag will cause the file system to always be mounted with ACLs enabled even if there is not an fstab entry or if the devices re-order. This prevents accidental mounting of the file system without ACLs enabled, which can result in ACLs being improperly enforced, and hence security problems.
Note: We may change the ACLs behavior to allow the flag to be enabled without a complete fresh , but we consider it desirable to discourage accidental mounting without
The file system utility. For instance, to view the utility. Observe:
% setfacl -k testThe -k flag will remove all of the currently defined ACLs from a file or file system. The more preferable method would be to use -b as it leaves the basic fields required for ACLs to work.
% setfacl -m u:trhodes:rwx,group:web:r--,o::--- testIn the aforementioned command, the -m option was used to modify the default ACL entries. Since there were no pre-defined entries, as they were removed by the previous command, this will restore the default options and assign the options listed. Take care to notice that if you add a user or group which does not exist on the system, an “Invalid argument” error will be printed to stdout.
Practice in FreeBSD 5.3
options UFS_ACL is configured in FreeBSD 5.3 GERNIC by default. But the ACLs function isn't enabled.
To see if the ACLs is enabled in your box, you can execute the follow command:
tunefs -p /
and the output like below:
tunefs: ACLs: (-a) disabled
tunefs: MAC multilabel: (-l) disabled
tunefs: soft updates: (-n) disabled
tunefs: maximum blocks per file in a cylinder group: (-e) 2048
tunefs: average file size: (-f) 16384
tunefs: average number of files in a directory: (-s) 64
tunefs: minimum percentage of free space: (-m) 8%
tunefs: optimization preference: (-o) time
tunefs: volume label: (-L)Notice at the green font, it means ACLs isn't enabled in your box. To enable it, you can unmount the particular file system or mount it as read only mode first. Then execute tunefs -a enable /filesystem. Or you can modify /etc/fstab to enable ACLs when start. An example like below.
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1a / ufs rw,acls 2 2
Additionally, tunefs command enables ACLs perminantly.
My FreeBSD 5.3 only have one root (/) partition, so i cound not mount the file system by remount it and it isn't possible to use tunefs -a enable / command, when do the tunefs command, "tunefs: /dev/ad2s1a: failed to write superblock" will come out. And editing /etc/fstab is no use.
What i did to enable it is to reboot my box to single user mode, then run tunefs -a enable / to enable it. Now the output of tunefs -p / is:
tunefs: ACLs: (-a) enabled
tunefs: MAC multilabel: (-l) disabled
tunefs: soft updates: (-n) disabled
tunefs: maximum blocks per file in a cylinder group: (-e) 2048
tunefs: average file size: (-f) 16384
tunefs: average number of files in a directory: (-s) 64
tunefs: minimum percentage of free space: (-m) 8%
tunefs: optimization preference: (-o) time
tunefs: volume label: (-L)A test like this:
#setfacl -m u:myaccount:rwx /root/test
#getfacl /root/test
#file:test
#owner:0
#group:0
user::rw-
user:myaccount:rwx
group::r--
mask::rwx
other::r--Ok, it seems everything is in good situation :)
