1

Is it possible to have filesystem permission ACL's (or similar) in OpenBSD? I'm trying to make a folder where one group has read-write access while a different group has read-only access. I don't want to give world read access, and I don't want to limit write access to a single user, so both need to be controlled by group permissions.

Edit: It has been suggested that OpenBSD may not have ACL's at all. Which is fine. The question remains: How can I, or is it even possible, set folder permissions in OpenBSD such that One group has write access, a different group has read-only access, while the world has no access?

ibrewster
  • 387
  • 1
  • 4
  • 16
  • Does OpenBSD even have ACLs? Last I heard, they were dead set against adding them. Along with [many other things](http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/) that might make it a reasonably secure operating system. – Michael Hampton Mar 03 '14 at 21:49
  • @MichaelHampton That's kind of what I'm asking here... – ibrewster Mar 03 '14 at 21:52
  • The point is, if you decided on OpenBSD because of the whole "security" hype, you almost certainly chose the wrong OS. – Michael Hampton Mar 03 '14 at 21:54
  • @MichaelHampton Ah, I see. Thank you for your opinion. However, that has nothing to do with what I am asking here, which is quite simply how I can (if it is even possible) assign different permissions to a folder based on group membership. – ibrewster Mar 03 '14 at 22:00
  • @MichaelHampton, you're wrong. How is not having the latest knobs and bells and whistles make OpenBSD less secure? Complexity is what makes most systems exploitable and insecure. ACL is not a security feature, but ASLR definitely is. – cnst Mar 05 '14 at 17:25

1 Answers1

2

You can't.

Here's an example of how you can figure it out with Super User's BSD Cross Reference.

You can start with the open() function, which is a system call, so, it's defined with a sys_ prefix in the kernel. Search for sys_open. You'll find it at http://bxr.su/OpenBSD/sys/kern/vfs_syscalls.c#sys_open.

If you follow sys_open() long enough, you'll find that there's http://bxr.su/OpenBSD/sys/kern/vfs_vops.c#VOP_ACCESS.

In VOP_ACCESS(), you'll see that each filesystem has it's own *_access function to check the permissions, which is a pointer stored in v_op->vop_access.

Searching for vop_access references, you can find all the individual access functions of the filesystems. For UFS, it's http://bxr.su/OpenBSD/sys/ufs/ufs/ufs_vnops.c#ufs_access.

In ufs_access(), you can see that it calls back into the shared filesystem-independent code to verify the permissions — http://bxr.su/OpenBSD/sys/kern/vfs_subr.c#vaccess.

With vaccess(), you can see for yourself how permissions are verified.

What you want to do is not possible in OpenBSD, because it doesn't have ACLs.

As a workaround, you could share a user/group, and implement your ACL policy through sudo and some custom-made scripts.

cnst
  • 13,848
  • 9
  • 54
  • 76