Advanced Server (AS/U) implements NT style file system permissions
which are not part of the HP-UX file system. This is done through
an Access Control List (ACL) database. For every file or directory
open, the ACL database must be queried to determine if the user/group
making the request has permission to perform the operation. If
too many ACLs are created, the ACL database grows to an excessive
size and AS/U performance may be impacted.
An ACL is not required for each directory or file. If an ACL
is not present, permissions are inherited from the parent directory.
By default, an ACL is created for each new directory, but not for
new files. An ACL has one or more Access Control Entries (ACE)
each of which specifies the permissions that a particular user or
group has to that directory or file.
As ACL entries are created, the ACL database file (/var/opt/asu/lanman/datafiles/acl)
is automatically extended from its initial size; the ACL file does
not automatically contract as ACL/ACE entries are deleted. Since
limiting the physical size of the ACL file is important for good
performance, every effort should be made to minimize the number
of ACL/ACEs used.
Here are some steps you can take to avoid creating unnecessary
ACL/ACEs:
Use inherited access control entries
rather than explicit access control entries whenever possible. Permissions
are passed down from parent directories to child directories and
to the files in the child directories, thus only one set of ACEs
are required at the root directory.
Put users with the same permissions in the same
group and give permission to the group as a whole and not to individual
users. In this way, one ACE for the group can replace many ACEs
necessary for individual users.
Set both the ForceDirectoryAcl and ForceFileAcl
registry values to off using the regconfig command on the server
or the regedt32 utility on the client. When you set these values
to off, newly created directories and files get their permissions
through inheritance and no new ACLs are created. If you later move
a directory or file, ACLs will be created to assure the permissions
stay the same as they were before the file or directory was moved.
By setting the registry values to off, effective permissions will
not be different.
Avoid using the Replace Permissions on Existing
Files and Replace Permissions on Subdirectories in the Security/Directory
permissions tab of Explorer. These options may create unnecessary
ACLs, so use them only when they are needed and worthwhile.
Restrict Change Permissions permission to administrative
users who understand the ACL concepts. Educated users will be less
likely to create unnecessary ACLs.
If the ACL database file is already too large, use the acladm
utility to identify and eliminate unnecessary ACL/ACE entries:
Use the acladm -E option to list all
file paths with ACL entries so that redundant or obsolete ACLs can
be deleted using the net perms /revoke ASU command.
Use the acladm -P (prune) option to eliminate ACLs
that refer to files or directories that have been removed by UNIX
users.
Use the acladm -S (squeeze) option to combine related
ACEs into a single ACE.
Use the acladm -U (unknown) option to remove ACEs
that refer to deleted or unknown AS/U users.
Removing ACL/ACEs will not reduce the ACL data file
size;however, entries are freed so that new ACL/ACEs can be added
without growing the physical size of the file.
After all unnecessary ACL/ACE entries have been removed use
the blobadm utility to physically shrink the ACL database file,
blobadm -qA. The server must be stopped in order to use this option.
Printable version
