Tuesday, December 18, 2007

Part 1: How to work with Access Control Lists from the Command Line

The basic Linux permission model lets you specify permissions for the file's owner and group, and all others. This article assumes that you are familiar with the basic permissions, and know how to set them. The Access Control List (ACL) feature extends the model to allow much finer control: you can specify permissions for each individual user and group defined in your system.

Consider this scenario: your server supports multiple office departments: Sales, Marketing, and Helpdesk. Each department has a manager, and one or more staff members.

You define a group for each department that comprises of its manager and staff members: sales-g, marketing-g, and helpdesk-g. Then, you also define a managers only group: managers-g.

It is normal that some departments need to share files among each other, but not with all departments. For instance, Sales needs to share a file with Marketing, but not with HelpDesk. To set that up using only the basic permissions, you can define yet more groups: sales-marketing-g, sales-marketing-managers-g, etc.

Alternatively, you can use ACL to assign permissions to individual group and user.

Before you can use ACL, you must explicitly turn it on for the partitions you want to have the ACL feature available.

As root, edit /etc/fstab. Find the partition that you want ACL enabled, and add the mount option acl.
/dev/mapper/star-home /home ext3  defaults,acl 0 2

Next, assuming that your partition is already mounted, then either reboot the system, or better yet, remount dynamically:
mount -o remount,acl /home

Next, you need to make sure that you have 2 ACL utilities installed: getfacl, and setfacl.

On a Debian system, install the utilities like this:
$ apt-get install acl

Note: eiciel is a GUI-based utility that can both get and set ACLs. It adds a new Access Control List tab to the Properties view in Nautilus. You can also run eiciel on its own, and edit the ACL of any file or directory.

Now, you are ready to tackle ACL.

Let's start simple: you have a file /home/peter/targets.txt that you want to share between sales-g, marketing-g, and an user named george.
$ cd /home/peter;ls -l
total 64
-rw-r--r-- 1 peter peter 60097 2007-12-08 10:55 targets.txt

Use setfacl -m to set Access Control List for the file.
$ setfacl -m group:sales-g:rw-   targets.txt

The group:sales-g:rw- parameter specifies Read and Write permissions (rw) for the group: sales-g.

To enable the Read/Write permissions for the Marketing department, and george the user:
$ setfacl -m group:marketing-g:rw-,user:george:rw- targets.txt
$ ls -l
total 68
-rw-rw-r--+ 1 peter peter 60097 2007-12-08 10:55 targets.txt

Note that ls -l does not display the actual ACL of a file. It only tells you that ACL is defined for that file: a plus character (+) is displayed to the right of the permissions.

To examine the actual ACL, run getfacl.

$ getfacl targets.txt
# file: targets.txt
# owner: peter
# group: peter

Part 2 of this article describes how to define ACL for a directory. As you would expect, you can specify the read/write/execute permissions for any group or user on a directory. In addition, you can specify the DEFAULT permissions for any FILE created under this directory.


Anonymous said...

Good Article...

Simple and Clear..


Unknown said...

very Clear enough! even though I am not a good command writter, but still can easily get in into your points! Thank you for sharing with us regarding the command line for Access Control System