Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Managing Access to Files and Directories
Chapter 8 771
ACLs in a Network Environment
ACLs are not visible on remote files by Network File System (NFS),
although their control over access permissions remains effective.
Individual manpage entries specify the behavior of the various system
calls, library calls, and commands under these circumstances. Use
caution when transferring a file with optional entries over a network, or
when manipulating a remote file, because optional entries are deleted
with no indication.
Setting Default Permissions
The default umask setting in a standard system is octal 000. This should
be changed to u=rwx,g=rx,o=rx (or octal 022). This means that all
directories created will have a default permission mode of 755, granting
access of drwxr-xr-x. All files created will have the default permission
mode of 644, granting access of -rw-r--r--. See umask (1).
Protecting Directories
If a directory is writable in a category (either through standard
permissions or ACLs), anyone in that category can remove its files,
regardless of the permissions on the files themselves. There are two ways
to protect against unwanted deletions:
• Remove write permissions for categories that should not have them.
This is particularly effective for users’ private directories. The
command
chmod 755 mydir
allows others to read and search the mydir directory but only the
owner can delete files from it.
• Set the sticky bit on the directory. This allows only the owner of the
file, the owner of the directory, and the superuser to delete the file.
This is effective for temporary or project directories (such as /tmp
and /var/tmp) that must be accessible to many authorized users.
The command
chmod a+rwxt /mfgproj
allows anyone to create, read, and write files in /mfgproj, but only
the file owner, the directory owner, or root can delete files.