Advanced Server (AS/U) implements NT style file system permissions which
are not part of the HP-UX file system. This is done through an Access
Control List (ACL) database. For every file or directory open, the ACL
database must be queried to determine if the user/group making the
request has permission to perform the operation. If too many ACLs are
created, the ACL database grows to an excessive size and AS/U performance
may be impacted.
An ACL is not required for each directory
or file. If an ACL is not present, permissions are inherited from
the parent directory. By default, an ACL is created for each new
directory, but not for new files. An ACL has one or more Access
Control Entries (ACE) each of which specifies the permissions that
a particular user or group has to that directory or file.
As ACL entries are created, the ACL database file (/var/opt/asu/lanman/datafiles/acl)
is automatically extended from its initial size; the ACL file does
not automatically contract as ACL/ACE entries are deleted. Since
limiting the physical size of the ACL file is important for good
performance, every effort should be made to minimize the number
of ACL/ACEs used.
Here are some steps you can take to avoid creating unnecessary ACL/ACEs:
Use inherited access control entries
rather than explicit access control entries whenever possible. Permissions
are passed down from parent directories to child directories and
to the files in the child directories, thus only one set of ACEs
are required at the root directory.
Put users with the same permissions in the same
group and give permission to the group as a whole and not to individual
users. In this way, one ACE for the group can replace many ACEs
necessary for individual users.
Set both the ForceDirectoryAcl and ForceFileAcl
registry values to off using the regconfig command on the server
or the regedt32 utility on the client. When you set these values
to off, newly created directories and files get their permissions
through inheritance and no new ACLs are created. If you later move
a directory or file, ACLs will be created to assure the permissions
stay the same as they were before the file or directory was moved.
By setting the registry values to off, effective permissions will
not be different.
Avoid using the Replace Permissions on Existing
Files and Replace Permissions on Subdirectories in the Security/Directory
permissions tab of Explorer. These options may create unnecessary
ACLs, so use them only when they are needed and worthwhile.
Restrict Change Permissions permission to administrative
users who understand the ACL concepts. Educated users will be less
likely to create unnecessary ACLs.
If the ACL database file is already too large, use the acladm
utility to identify and eliminate unnecessary ACL/ACE entries:
Use the acladm -E option
to list all file paths with ACL entries so that redundant or obsolete
ACLs can be deleted using the net perms /revoke ASU command.
Use the acladm -P (prune) option
to eliminate ACLs that refer to files or directories that have been
removed by UNIX users.
Use the acladm -S (squeeze)
option to combine related ACEs into a single ACE.
Use the acladm -U (unknown)
option to remove ACEs that refer to deleted or unknown AS/U users.
Removing ACL/ACEs will not reduce the ACL data file
size; however, entries are freed so that new ACL/ACEs can be added
without growing the physical size of the file.
After all unnecessary ACL/ACE entries have been removed use
the blobadm utility to physically shrink the
ACL database file, blobadm -qA. The server
must be stopped in order to use this option.
Printable version
