[rsbac] ACLs / acl_grant Problem

Amon Ott ao at rsbac.org
Mon Jan 16 08:42:42 CET 2006


On Montag 16 Januar 2006 01:59, jochem_ippers at email.de wrote:
> when I try to change an acl nothing seems to happen; for example 
(existing file and existing user) when I do: 
> 
> acl_grant -v -k -u jochem LOCK FD /tmp/hallo 
> Revoke rights: 
00000000010000000000000000000000000000000000000000000000000
> for USER 1001
> Processing FD '/tmp/hallo'
> 
> nothing changes (same with the -m option), LOCK right is still 
there:
> 
> acl_rights -u jochem FILE /tmp/hallo
> acl_rights: User 1001
> /tmp/hallo       
00000000010000000000001110100000011011010010111111110110100
> 
> I compiled rsbac version 1.2.5.1 (rsbac-admin-tools 1.2.5.1) for 
kernel 2.6.14. I tried different compile combinations, at the time I 
try a kernel with ACL as the only security module.

The rights this user has are inherited from the rights the group 0 
(everyone) has to :DEFAULT:, going down to this file via / and /tmp 
and through the file's inheritance mask. In Netware speech, :DEFAULT: 
would be the container which contains the whole filesystem.

To reduce these rights, you must set explicit rights for all users and 
groups, that shall have access, and then change the inheritance mask 
with acl_mask.

acl_grant changes the acl at the file itself - if there is no entry 
for the user, revoking with -k will change nothing. acl_tlist can 
show you all acl entries for this file.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list