Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question for Unix gurus - password less sftp and ACLs Sun Solaris

Status
Not open for further replies.

AlStl

MIS
Oct 2, 2006
83
US
This question is for all Unix gurus out there.

I know that for password less sftp to work home directory should have go-w ex:
/user/home/europa
drwx--x--x 7 europa saturn 512 Mar 12 10:30 .

This is a SUN Solaris machine 5.10:
I want to use ACLs to allow another user:mars that is not part of group saturn to be able to RWX in direcroty: /user/home/europa/mars_can_write

Say, if I do something like this:

setfacl -m user:mars:r-x /user/home/europa
setfacl -m user:mars:rwx /user/home/europa/mars_can_write
setfacl -m m:rwx /user/home/europa/mars_can_write

Will creating an ACL entry for /user/home/europa cause any issue with current permission for /user/home/europa, which is ideally set for password less sftp i.e. group and others do not have permission to W as shown below:

drwx--x--x 7 europa saturn 512 Mar 12 10:30 .


I did this and password less sftp stopped working between servers i.e. it's started to ask for password when invoking sftp from one machine to another. Public key and authorized keys are set up perfectly between servers.

Thanks,

Al


 
I tried this on my Solaris 10 system and making the changes you described did not break passwordless sftp. Are you sure that's what did it? Have you tried removing the ACLs again, and does that restore sftp access?

Also, what type of filesystem is this on, ufs?

Annihilannic
[small]tgmlify - code syntax highlighting for your tek-tips posts[/small]
 
Annihilannic,

You are absolutely correct. ACLs had nothing to do with breaking of sftp. It was because of public keys were not in sync between machines.

I must say ACLs gives lot of flexibility over standard unix UGO file permissions.

Do we have something similar on Linux side or this is just implemented within Sun Solaris ?

Al

 
ACLs are great. I especially like the "default" one which allows you to set default ownership and permissions for files created in a directory. The only caveat is that they are not supported everywhere, nor by all OS utilities (e.g. tar).

Regarding Linux, yes, but it depends on kernel and filesystem support. Also I seem to recall the ACL syntax differed slightly, but I haven't played with them much recently.

You can see which filesystems support it in this table:


Note also the footnote regarding ext2/3/4, etc.

Annihilannic
[small]tgmlify - code syntax highlighting for your tek-tips posts[/small]
 
Annihilannic,

That is very intresting that utilities like tar does not support ACL's. I wonder if java deployment utilitiy jar supports ACL's ?

I am going to try installing a java application by a user that is setup to RWX using ACL's:

jar -xvf mars.war

Al
 
I'd say it's unlikely to support them. You may need to prepare a post-installation script to set them up.

Annihilannic
[small]tgmlify - code syntax highlighting for your tek-tips posts[/small]
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top