×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Question for Unix gurus - password less sftp and ACLs Sun Solaris

Question for Unix gurus - password less sftp and ACLs Sun Solaris

Question for Unix gurus - password less sftp and ACLs Sun Solaris

(OP)
This question is for all Unix gurus out there.

I know that for password less sftp to work home directory should have go-w ex:
/user/home/europa
drwx--x--x   7 europa   saturn         512 Mar 12 10:30 .

This is a SUN Solaris machine 5.10:
I want to use ACLs to allow another user:mars that is not part of group saturn to be able to RWX in direcroty: /user/home/europa/mars_can_write

Say, if I do something like this:

setfacl -m user:mars:r-x /user/home/europa
setfacl -m user:mars:rwx /user/home/europa/mars_can_write
setfacl -m m:rwx /user/home/europa/mars_can_write

Will creating an ACL entry for /user/home/europa cause any issue with current permission for /user/home/europa, which is ideally set for password less sftp i.e. group and others do not have permission to W as shown below:

drwx--x--x   7 europa   saturn         512 Mar 12 10:30 .

 
I did this and  password less sftp stopped working between servers i.e. it's started to ask for password when invoking sftp from one machine to another. Public key and authorized keys are set up perfectly between servers.

Thanks,

Al  

 
 

RE: Question for Unix gurus - password less sftp and ACLs Sun Solaris

I tried this on my Solaris 10 system and making the changes you described did not break passwordless sftp.  Are you sure that's what did it?  Have you tried removing the ACLs again, and does that restore sftp access?

Also, what type of filesystem is this on, ufs?

Annihilannic
tgmlify - code syntax highlighting for your tek-tips posts

RE: Question for Unix gurus - password less sftp and ACLs Sun Solaris

(OP)
Annihilannic,

You are absolutely correct. ACLs had nothing to do with breaking of sftp. It was because of public keys were not in sync between machines.

I must say ACLs gives lot of flexibility over standard unix UGO file permissions.

Do we have something similar on Linux side or this is just implemented within Sun Solaris ?

Al

 

RE: Question for Unix gurus - password less sftp and ACLs Sun Solaris

ACLs are great.  I especially like the "default" one which allows you to set default ownership and permissions for files created in a directory.  The only caveat is that they are not supported everywhere, nor by all OS utilities (e.g. tar).

Regarding Linux, yes, but it depends on kernel and filesystem support.  Also I seem to recall the ACL syntax differed slightly, but I haven't played with them much recently.

You can see which filesystems support it in this table:

http://en.wikipedia.org/wiki/Comparison_of_file_systems#Metadata

Note also the footnote regarding ext2/3/4, etc.  

Annihilannic
tgmlify - code syntax highlighting for your tek-tips posts

RE: Question for Unix gurus - password less sftp and ACLs Sun Solaris

(OP)
Annihilannic,

That is very intresting that utilities like tar does not support ACL's. I wonder if java deployment utilitiy jar supports ACL's ?

I am going to try installing a java application by a user that is setup to RWX using ACL's:

jar -xvf mars.war

Al

RE: Question for Unix gurus - password less sftp and ACLs Sun Solaris

I'd say it's unlikely to support them.  You may need to prepare a post-installation script to set them up.

Annihilannic
tgmlify - code syntax highlighting for your tek-tips posts

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close