Solaris to Linux ACL migration When you are asked to migrate ACL from Solaris to RedHat Linux, all you need is directory list and its permission. You can use Excel sheet and create a 2-dimensional report. For example:
In above table, admin and developer are groups. I mapped them with the directories and permission they have for the directory. This will show you clear idea about what permission you should give for particular user/group. It is good to generate the ACL report using shell script where you can avoid human errors. A simple for loop will do the trick. The command to get the ACL details in Solaris is:
# ls –Vd /tmp
This command will show you the ACL applied in the directory /tmp.
ACL in RedHat LinuxIn RedHat, ACL's are two types – access ACL and default ACL. The inheritance is implemented using default ACL. For example: if you have a directory named /music, and applied default ACL on it for the admin group as rwx. Then admin will have access to all newly created directories under it, say /music/pop. If default ACL is not applied admin group won't get access to it. Before applying default ACL, ask yourself, does this user/group needs access to directories that will be created in future. If yes, then default ACL is needed and if no, then don't apply default ACL.
In Solaris, we implement inheritance using the option fdi. So for any directories in Solaris with fdi object, apply default ACL in RedHat.
Command to apply ACL in RedhatIn RedHat we use setfacl command for ACL. The option –m is for applying ACL and option –R for applying recursively. The recursive option is used if all the directories under main directory have same ACL. In above table we can apply recursive ACL for admin group as it has rwx for all the directories. So let's see the commands.
To apply ACL:
setfacl –m g:developer:rx /tmp
As the developer group doesn't have write permission I haven't mentioned it. You should not use any spaces between colons (:). Using spaces will throw error. In above command, g refers to group, developer is name of the group and r is read and x is execute. For users, you need give option as u. So say a user named grisham needs rwx to /tmp/docs. Then,
Setfacl –m u:grisham:rwx /tmp/docs
To apply ACL recursively :
setfacl –Rm g:admin:rwx /tmp
As admin has read, write and execute permission for all the directories, I applied recursively. Most of the time, admins will be given recursive permission. Think twice before applying permission recursively.
To apply default ACL
We know that admins maintain all our directories like removing, adding and archiving files. So they need to access to directories that will be created in future. To do that,
setfacl –Rd g:admin:rwx /tmp
Here the option –d refers to the default ACL. You can apply ACL without –R option which applies ACL only to /tmp directory and not /tmp/docs directory.
To remove ACL for single group
There are very good chances that you may apply ACL in wrong directory. In RedHat we have option to remove ACL for a particular user/group using –x option.
setfacl –x g:groupname /directory
If you want to remove user, then
setfacl –x u:username /directory
You can also remove multiple groups at a time by,
setfacl –x g:group1,g:group2,g:group3 /directory
The recursive option can also be used with the above command.
Remove all ACL
RedHat also provide option to remove all the ACL. It is equal to reset, all the ACL's will be removed. This can be done by using option –b with or without recursive. The command will be
setfacl –b /directory
ConclusionYou can do your entire task using above set of commands. Migration will be easy if permissions for user/group and the directories are clearly accounted. Feel free to post your question in comment box below.
Read How to remove access to a folder in Windows 7