ctaclfck Command

Purpose

Verifies the contents of a cluster security services ACL file.

Syntax

ctaclfck -f acl_file_name [-s] [-c] [-u user_name] [-v] [-h]

Description

The ctaclfck command checks the contents of the cluster security services ACL file specified by the -f flag. The check is limited to syntactical errors; a semantic check is not performed.

The command opens the ACL file, and reads and compiles one ACL entry at a time. If the command encounters an error, it will report the error to standard output. If the -c flag is provided, the command will continue processing after encountering errors until it reaches the end of the file. Otherwise processing will stop after the first error is found and reported.

The -u flag directs the command to verify the ACL file contents owned by the specified operating system user identity. The command user must have permission to change to the home directory of the user specified by the -u flag, and must also have permission to read files in that directory. If the -s flag is specified along with the -u flag, the command user must also have permission to set its effective user identity to this identity (see the man page for the operating system command su for examples).

When the -u flag is specified, the file name provided in the -f flag is expected to be the base name of a file that resides in the home directory of the named user. In this case, the file name specified by the -f flag must not contain any directory names, including the ./ and ../ directories.

If the -s flag is specified, the command creates a file to contain the compiled contents of the ACL file. This permits applications to compile the ACL data buffer in advance to starting the application that uses it, saving the application this processing during its startup procedure or its ACL reading process. The compiled ACL file will have the same name as the ACL file with the extension .cacl. The ownership and file system permissions of the new *.cacl file will be set to the same ownership and permissions as the ACL file. If the ACL file is not currently owned by the command user, the command user must be capable of changing its effective user identity to the identity of the user that owns the ACL file. If the command is unable to do this, it will not create the ACL buffer file, but will complete verification of the ACL file.

The command checks for the correct ACL entry type, for the proper identity format, and for a valid permission. A valid permission is defined as one containing only operations that are defined by the permission template. The permission template set defined by cluster security services and used by this command follows.
Entry Type  
r
Format
0x1
Permission
read
Operation
generic read operation
w
Format
0x2
Permission
write
Operation
generic write operation
c
Format
0x4
Permission
control
Operation
generic control operation / RMC refresh configuration operation
x
Format
0x8
Permission
run
Operation
generic execute operation
C
Format
0x10
Permission
cancel
Operation
generic cancel operation
q
Format
0x20
Permission
query
Operation
RMC query resource operation
l
Format
0x40
Permission
list
Operation
RMC enumerated resources operation
e
Format
0x80
Permission
event
Operation
RMC event registration / unregistration / querying
d
Format
0x100
Permission
define
Operation
RMC define / undefine resource operation
v
Format
0x200
Permission
validate
Operation
RMC validate resource handle operation
s
Format
0x400
Permission
set
Operation
RMC set attribute operation

If the -u flag is specified, the command searches for the ACL file in the home directory of the specified user. The user must own the file and the permission must be write-only by the user. When the -u flag is specified, the ACL file name specified by the -f flag must not contain a relative or full path to the file; it must specify the file name only.

Flags

-f acl_file_name
Specifies the cluster security services ACL file to be verified. The file name can be a full or relative path name, unless the -u flag is specified.
-s
Caches the ACL buffer (that resulted from the compilation of the ACL file) into a file. If the ACL file is not owned by the command user, the command user must be able to set its effective user identity to the owner of the ACL file.
-c
Instructs the command to continue after encountering errors until the end of file is reached. All errors encountered will be reported regardless of whether or not the -v flag is specified. If not specified, command processing will stop after the first error is encountered and reported.
-u user_name
Specifies the user name in whose home directory the ACL file resides. When this flag is used, the file name specified by the -f flag must be the base name of a file that resides in the named user's home directory; the file cannot contain any directory information, including the ./ and ../ directory names.
-v
Writes the command's verbose messages to standard output.
-h
Writes the command's usage statement to standard output.

Security

The file system permission of the ACL file is determined by the end user or the application owning the file. If the invoker does not have sufficient authority to read the file or to create the requested compiled ACL file with the same ownership, the command fails.

Restrictions

The ctaclfck command works only on ACL files formatted for cluster security services.

Examples

  1. To verify the contents of the ACL file /my_acl_file:
    ctaclfck -f /my_acl_file
  2. To verify the contents of the ACL file ../my_acl_file (relative to the current directory) and provide detailed output:
    ctaclfck -f ../my_acl_file -v
  3. To completely verify the contents of the ACL file /u/fluffy/my_acl_file, which is owned by the operating system user fluffy, and store the compiled ACL buffer into a file for later use:
    ctaclfck -c -u fluffy -f  my_acl_file  -v -s

Location

/usr/sbin/rsct/bin/ctaclfck
Contains the ctaclfck command