sonia hamilton - life on the digital bikepath - sonia@snowfrog.net

22 October 2007

Linux ACLs

Filed under: Linux — Sonia @ 5:13 am

Linux ACLs (Access Control Lists) can be a bit difficult at first - here’s my understanding of how they work:

Commands:

  • There’s only 2 commands needed - getfacl and setfacl - display and change acls

Files:

When you do a getfacl on a file, you’ll get this sort of entry:

$ ls -al index.html
-rw-rw-r–+ 1 root siteadm 0 Nov 30 2005 index.html
.
$ getfacl –all-effective index.html
# file: index.html
# owner: root
# group: siteadm
user::rw-
user:apache:rw- #effective:rw-
group::r– #effective:r–
mask::rw-
other::r–

  • Notice the + at the end of the ls -al entry - indicating acls, and the use of the –all-effective option with getfacl
  • The first and last entries always always always correspond to normal user/owner and other file permissions eg user/owner has read/write and other has read:


    • user::rw- -> -rw (for user/owner)
    other::r– -> -rw (for other)

  • For applications that do understand acls, permissions are exactly as listed in the middle bunch of entries, masked by the mask entry ie the user apache will get rw-, the group (siteadm in this case) will get r–:


    • user:apache:rw-
    group::r–
    mask::rw-

  • For applications that don’t understand acls, permissions correspond to the mask ie rw-, to ensure that non-acl aware applications will keep working. Notice how the ls -al output displays the mask entry in the group area:


    • -rw-rw-r–+ 1 root siteadm 0 Nov 30 2005 index.html
    mask::rw-

To change acls you use the setacl command, which is pretty straighforward. For example:

$ setfacl -m u:apache:rw- foo.txt
$ setfacl -m user:jan:rwx,group:mysql:rwx bar.txt

Directories:

Acls need to be considered for directories themselves (eg can user fred delete a particular directory?) and for all objects underneath a directory.

  • for directories themselves, setting and getting acls is just the same as for files
  • for all objects underneath a directory, you have to consider the “Default ACL” - a special kind of acl that defines the access permissions of all new objects created under a folder. Note - it doesn’t effect existing objects!
  • setfacl uses the -d flag to create default acl entries
  • the same rules apply for all default entries as they do for normal entries: ie the first and last (user and other) entries are directly used, the middle bunch of entries interact with the mask, etc, etc.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.