Product SiteDocumentation Site

4.2. Exercises

4.2.1. Exercise 1 – ACLs and EA Interface

We create an access ACL on a file, and look at how its value is stored in an EA and what the EA for it looks like on the disk. A posix access ACL on a file is a set of access permissions on a file, like the standard unix permissions, but gives a finer grain of control on who gets these permissions. As the point of this lab is about XFS EAs and not about ACLs, we will just create a simple ACL with user, group, other permissions and the mask entry.
The setfacl(1) and getfacl(1) commands are standard commands which were implemented by Andreas Gruenbacher and the chacl(1) command came originally from IRIX.
  1. create filesystem and ACL's
    # cd /
    # mkdir $SCRATCH_MNT
    # mkfs.xfs -f $SCRATCH_DEV
    # mount $SCRATCH_DEV $SCRATCH_MNT
    
    # cd $SCRATCH_MNT
    # echo data1 > file1
    # echo data2 > file2
    # setfacl -m u::rw,g::rw-,o::r--,m::rwx file1
    # chacl u::r--,g::---,o::---,m::rwx file2
    
    # getfacl file2
    # chacl -l file1
    
  2. List the extended attributes on the file:
    # getfattr -d file1
    
  3. This won't show much as we didn't specify the “user” namespace. This will show two extended attributes:
    # getfattr -e hex -dm '.*' file1
    
    One for the "system" namespace and one for the "trusted" namespace.
  4. However, when we run the "attr" command, it only shows 1 EA which is what we'd expect since we only created one ACL on the file.
    # attr -Rl file1
    # attr -Rqg SGI_ACL_FILE file1 >ea_value
    # od -x ea_value
    
    The reason why getfattr shows 2 EAs is because the system.posix_acl_access is an EA XFS provides as an interface into the system and ACL routines, however, the trusted.SGI_ACL_FILE EA is the only one actually stored on the disk and is the same as would be stored on an IRIX XFS filesystem. The internal namespace for this XFS EA is actually "root" which is stored as a bit in the flags field (it doesn't actually store the namespace as a string in XFS).
    In our case, we have 4 entries: u::rwx g::rw- o::r-- m::rwx
  5. An XFS ACL is of the form:
    <acl_count: int32>  <entry> <entry> <entry> ...
    
    where:
    <entry> = <tag: int32> <id: int32> <perm: uint16>
    
    and
    <tag> = USER_OBJ, GROUP_OBJ, OTHER
    <id> = user id or group id if given one
    <perm> = normal unix permissions like rwx
    
    You can now try to match up a few of the fields of the SGI_ACL_FILE EA contents with the format of an ACL given above; you can see, for example, that there are 4 entries for the acl_count which are at the start of the EA value.
  6. Identify the permissions from the od (octal) dump