LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   AIX (https://www.linuxquestions.org/questions/aix-43/)
-   -   Unable to set ACLs on sulog file - need to grant read permission to a normal user on AIX 6.1 (https://www.linuxquestions.org/questions/aix-43/unable-to-set-acls-on-sulog-file-need-to-grant-read-permission-to-a-normal-user-on-aix-6-1-a-4175663581/)

nirvaanr 11-02-2019 06:01 PM
Unable to set ACLs on sulog file - need to grant read permission to a normal user on AIX 6.1
 
Hi,

I need to grant read permission to a normal user on sulog file on AIX 6.1.

As root, I did "acledit sulog" and "aclget" shows "extended permissions" as "enabled" and normal user "splunk" has read permissions.

When I try to access sulog file as "splunk" user it won't allow and "aclget" for splunk user shows "extended permissions" as "disabled".

I also tried to remound /var with "acl" option, it throws "Invalid mount option"..

Please advise, thanks!!

Code:
splunk@TESTAIX61(/var/adm)#  uname -a
AIX TESTAIX61 1 6 00CACC954C00
splunk@TESTAIX61(/var/adm)#  oslevel -s
6100-09-12-1838
splunk@TESTAIX61(/var/adm)#
root@TESTAIX61(/var/adm)#  acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type  AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit  r-x    u:splunk
root@TESTAIX61(/var/adm)#  su - splunk
splunk@TESTAIX61(/home/splunk)#  tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)#  id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)#  cd /var/adm
splunk@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type  AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit  r-x    u:splunk
splunk@TESTAIX61(/var/adm)#

TB0ne 11-03-2019 08:15 AM
Quote:
Originally Posted by nirvaanr (Post 6053407)
Hi,
I need to grant read permission to a normal user on sulog file on AIX 6.1.

As root, I did "acledit sulog" and "aclget" shows "extended permissions" as "enabled" and normal user "splunk" has read permissions. When I try to access sulog file as "splunk" user it won't allow and "aclget" for splunk user shows "extended permissions" as "disabled". I also tried to remound /var with "acl" option, it throws "Invalid mount option"..

Please advise, thanks!!
Code:
splunk@TESTAIX61(/var/adm)#  uname -a
AIX TESTAIX61 1 6 00CACC954C00
splunk@TESTAIX61(/var/adm)#  oslevel -s
6100-09-12-1838
splunk@TESTAIX61(/var/adm)#
root@TESTAIX61(/var/adm)#  acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type  AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit  r-x    u:splunk
root@TESTAIX61(/var/adm)#  su - splunk
splunk@TESTAIX61(/home/splunk)#  tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)#  id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)#  cd /var/adm
splunk@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type  AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit  r-x    u:splunk
splunk@TESTAIX61(/var/adm)#
What are the standard ("ls -l") permissions on that file? Did you try to enable the ACL for the splunk group for read/execute permission as well?
Code:
permit    rw-    g:splunk
It looks like that file is only rw for root only. If the group ACL doesn't work, just changing permissions to 604 (rw----r--) will allow read-only access on that file, and read/write for only root.

nirvaanr 11-03-2019 06:59 PM
The standard permissions are 600 for sulog file.

Tried with group ACL as well but did not work (same behaviour)

setting read permissions for group/others is not an option.

Thanks!

TB0ne 11-04-2019 07:06 AM
Quote:
Originally Posted by nirvaanr (Post 6053772)
The standard permissions are 600 for sulog file.
Right.
Quote:
Tried with group ACL as well but did not work (same behaviour)
Odd, since that should work (even without the group), but you are using a *VERY* old version of AIX. Have you looked into the aclput command?
http://public.dhe.ibm.com/systems/po...xcmds1_pdf.pdf
Quote:
setting read permissions for group/others is not an option.
Why is that?? And again, we have NO IDEA what your restrictions are unless you tell us.

NevemTeve 11-12-2019 03:27 AM
If it were me, I'd start with testfiles, eg:
Code:
$ touch acl_testfile
$ aclget acl_testfile >acl_testfile.acl
$ cp acl_testfile.acl acl_testfile.orig_acl
$ edit acl_testfile.acl
$ aclput -i acl_testfile.acl acl_testfile
$ cat acl_testfile.orig_acl
*
* ACL_type  AIXC
*
attributes:
base permissions
    owner(projects):  rw-
    group(devel):  rw-
    others:  r--
extended permissions
    disabled
$ cat acl_testfile.acl
*
* ACL_type  AIXC
*
attributes:
base permissions
    owner(projects):  rw-
    group(devel):  rw-
    others:  r--
extended permissions
    enabled
        permit    rw-    u:zsiga
So I've added an extra 'rw' right to user 'zsiga'

Edit: if the problem is specific to this 'sulog' file, then it might be intentional, e.g. every run of program 'su' disables ACL on this file.


All times are GMT -5. The time now is 10:57 AM.