ACLs Learn to love them
|
Author | Content |
---|---|
dinotrac Jul 19, 2009 10:59 PM EDT |
I did a small project for a financial services company that used ACLs over the summer, and it is remarkable the number of odd group hacks and just plain mess they will let you avoid. They can be especially useful in environments where security concerns lead you to avoid group permissions. |
herzeleid Jul 19, 2009 11:16 PM EDT |
I recently had some requirements for an ftp site that for the first time, presented a problem that I could not satisfy using the traditional unix ugo permissions and ownership. I had to do a crash course on acls in order to do the needful. You can do an awful lot with unix permissions, and that's all I normally use, because I don't want the performance hit of EAs on the filesystems - but there are some scenarios where acls are needed on a particular filesystem, and it's good to have that tool available. |
Sander_Marechal Jul 20, 2009 4:17 AM EDT |
I have a problem that I cannot get to work using standard Linux UGO policies. Do any of you know if it's possible with ACL? Basically, my girlfield and me both have our own account. And we have a shared directory where we put stuff in that we both need. Example: /home/sander /home/girlfriend /home/shared I want anything put under /home/shared to always be readable and writable by the both of us. I have tried every imaginable combination of users, groups, permissions, umasks and sticky bits but I could not make it work reliably. My current workaround is to host /home/shared on my server and mount it using NFS with the all_squash option to overwrite UGO with the server settings. Can ACL do this in a smarter way? |
gus3 Jul 20, 2009 8:07 AM EDT |
@Sander: That sounds like an ideal application for groups. 1. Create a new group for you and your GF ("girl-field"? that's a new one by me ;-), add each of you to it. 2. Make sure the existing files in the shared directory belong to that group. 3. Set the group sticky bit for the shared directory and all directories below it. Any new files and directories created will retain the group ID. As for your own files, here's where it gets interesting (and historical, as possibly the oldest Unix permissions hack): 1. Create two new groups, one for "not Sander" and one for "not Sander's GF". 2. Put yourself in the "not Sander's GF" group, and put your GF in the "not Sander" group. 3. Set the group ID's of your GF's home directory to "not Sander," then set the group ID of your home directory to "not Sander's GF." Something along the lines of: $ chgrp notsander /home/girlfriend 4. Strip all group permissions from that directory: $ chmod g-rwx /home/girlfriend And there you go. She, as "girlfriend," can enter the directory she owns, but you, as a member of "notgirlfriend," can do nothing. No ACL's needed. Note: This becomes impossible for more than two users. Granting/blocking permissions for more than one user or group makes ACL use a requirement. NOTE: My morning caffeine intake is still a work-in-progress; errors above should be judged accordingly. |
Sander_Marechal Jul 20, 2009 8:33 AM EDT |
Quoting:"girl-field"? that's a new one by me Yeah. I don't like to objectify my girlfriend so she's just an attribute I can reference ;-) Your technique seems sound, but how does it behave under file copies? That's the main thing I have been struggling with. Most of the time when we want to share something then it is some existing document or directory that we simply move from out home directory to /home/shared. If I recall correctly then the sticky bit will be uneffective because the copied/moved files retain the same permissions as the original (which is usually readable but not writable by the other). Quoting:Note: This becomes impossible for more than two users. Granting/blocking permissions for more than one user or group makes ACL use a requirement. How would you do this using ACL? |
dinotrac Jul 20, 2009 11:12 AM EDT |
Sander - setfacl -m user:girfriend:rwx /home/shared setfacl -m user:sander:rwx /home/shared Each of you now have full owner's permissions to /home/shared if I remember correctly I might not remember correclty, however!!! ;0) Edit: A two user example tends not to show the power of ACL's, because you can use groups for much of the same effect. As you get more users and more combinations of permissions that you want to allow or disallow, groups can get messy AND the groups can get mighty damned illogicial, because you're spawning them for access purposes and not for any logical grouping of users. Ugh. |
gus3 Jul 20, 2009 12:21 PM EDT |
$ cat /home/sander/file > /home/shared/file or $ cp --no-preserve /home/sander/file /home/shared/file But not for "mv" due to internal mechanisms that must be consistent between intra- and inter-volume movement. |
krisum Jul 20, 2009 2:18 PM EDT |
Sander, In addition to what dino said, you will need to set the default ACLs (which will act like sticky flag) as below: setfacl -m d:u:girlfriend:rwx -m d:u:sander:rwx /home/shared (d: sets the default ACL) setfacl -m u:girlfriend:rwx -m u:sander:rwx /home/shared Use -R to apply recursively. Now every new file/directory that is created in /home/shared will inherit those permissions and normal cp will also work fine. However, this will not work for "mv", "cp -a" etc that will override these and preserve source file/directory permissions. |
krisum Jul 20, 2009 2:33 PM EDT |
Quoting: How would you do this using ACL?For granting users/groups access just add them to the ACL with required permissions. To disallow permissions to some users/groups add them to the ACL with no permissions (e.g. setfacl -m u:user1:- ). edit: For ext* systems, it is possible to set acl as default mount option using tune2fs -o acl. XFS has it by default I think. Those looking for a GUI can try eiciel that works both standalone and integrated with nautilus. I seem to recall that konqueror has builtin support since 3.5. |
Sander_Marechal Jul 20, 2009 4:39 PM EDT |
Thanks all. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!