|
|
Q: How do I use Unix Access Control Lists (ACLs)?
This document contains information about using Access Control Lists
to control access to files and directories on the CS Linux/UNIX systems.
You may also want to see the Unix File Permissions
FAQ entry to get further information about basic file and directory permissions
under Unix.
Index
ACL Introduction
Under Solaris and Linux you can use what are called Access Control Lists, or
ACLs. The ACL functionality gives a user the ability to, among other
things, grant file permissions on a user-by-user basis. So, for example,
you can create a file that is readable by joeuser and janeuser but only
writable by janeuser. ACLs provide a much higher degree of control over
permissions than standard Unix groups. In addition, they are completely
under the control of the owner of the file. You don't need the system
administrator to create and maintain groups for you.
Basic Commands and Operations
The two main commands you will use to manipulate ACLs are setfacl
and getfacl. For example, if I have a file named hello.c, I can
set the ACL to only allow the owner of the file to read and write
the file with:
setfacl -s user::rw-,group::---,mask:rw-,other:--- hello.c
In this example, the owner gets read/write permissions (rw-) while
the group and world (or other) get no permissions (---).
I can then grant read-only access to user shei with:
setfacl -m user:shei:r-- hello.c
and read-write access to user schisham with:
setfacl -m user:schisham:rw- hello.c
After setting the ACL on the file, note that ls shows a + after the
normal permission list:
% ls -l hello.c
-rw-rw----+ 1 robh staff 0 Sep 3 10:07 hello.c
The + signifies that there is an ACL set for the file. You can
then use getfacl to display the ACL for the file:
% getfacl hello.c
user::rw-
user:shei:r-- #effective:r--
user:schisham:rw- #effective:rw-
group::rw- #effective:rw-
mask:rw-
other:---
The ACL shows that user shei has read access and user schisham
has read/write access. Once you have an ACL set on one file, you
can duplicate this ACL for other files by creating an ACL file
and using this to set the ACL of other files:
% getfacl hello.c > ACLfile
% setfacl -f ACLfile goodbye.c
You can do the same thing without actually creating the ACLfile using:
getfacl hello.c | setfacl -f - goodbye.c
ACLs on Directories
You can also set ACLs on directories as well as on files. ACLs
on directories introduce a new concept called the default ACL for
the directory. This default ACL is used to set the ACL for all
files that are created within the directory. To do this, you specify
the default ACL as follows:
setfacl -s user::rwx,group::---,mask:rwx,other:---,default:user::rw-,default:group::---,default:mask:rwx,default:other:--- SomeDirectory
which only gives the owner read/write/execute (rwx) permission on the
directory and on file created in the directory.
You can then give user shei read and execute permission on the directory:
setfacl -m user:shei:r-x SomeDirectory
and read access to all files created in the directory:
setfacl -m default:user:shei:r-- SomeDirectory
You probably also want to give yourself read access for files
created in the directory so that you can access files other users
create.
setfacl -m default:user:robh:r-- SomeDirectory
A Cookbook Example
This section describes the procedure for using ACLs to share files in a
group project directory. The example assumes that multiple people will
be editing a common source file and building an executable from this
file.
First, make the shared directory
% mkdir GroupProject
Then, setup the basic ACL for the directory
% setfacl -m user::rwx,group::---,mask:rwx,other:---,default:user::rwx,default:group::---,default:mask:rwx,default:other:--- GroupProject
Give user juser write permission on the directory
% setfacl -m user:juser:rwx GroupProject
Give user juser and yourself read/write permission to files created in the directory
% setfacl -m default:user:juser:rwx GroupProject
% setfacl -m default:user:robh:rwx GroupProject
Note that you would replace "robh" with your username.
Then, cd to the directory and create a file we need to share
% cd GroupProject
% vi hello.c
We see that juser has read and write access to this file:
% getfacl hello.c
user::rw-
user:juser:rwx #effective:rw-
group::--- #effective:---
mask:rw-
other:---
We then create an executable named hello from hello.c:
% make hello
cc -o hello hello.c
%
We then check the ACL for the hello executable:
% getfacl hello
user::rwx
user:juser:rwx #effective:rwx
group::--- #effective:---
mask:rwx
other:---
You see that, as with the other file we created, user juser
has write permission. So, juser could then come and edit the
hello.c file and rebuild the hello executable.
Backup Notes
It should be noted that the system backups we are doing do
not capture acl information. So, if a file or files have to
be restored from backups, the acl information will have to be
manually recontructed. For this reason, it would be wise for
users to keep track of any acls they create. One way to do this
is to run getfacl and save the output to a file. This file can
also be used to create other acls using 'setfacl -f'.
Emacs and Disk Quota Notes
Also note that there are implications related to disk quotas.
For example, if user1 grants write access for a directory to
user2, then any files that user2 creates in that directory fall
within the quota contraints for user2 on that partition. If
user1 and user2 are are different disk partitions, then user2
will have a zero quota on that partition and will not be able
to create files. There are two workarounds for this problem.
First, you can request that home directories be moved to a
single partition. Second, if user1 creates a file then user2
can edit the file as long as the ownership doesn't change. Some
editors, such as emacs, like to rewrite files thereby changing
the ownership which will fail. In emacs, you can add the following
to your .emacs file to prevent emacs from rewriting files:
(setq backup-by-copying t)
Other Sources of Information
Probably the best source of additional information is the man
pages for setfacl and getfacl. There is a section on
Securing Files
in the
Sun Answerbook that gives
more information. There is also a
SunWorld Online article about ACLs
that you may find useful.
|
