Saturday, January 19, 2008

Part 2: How to work with Access Control Lists from the Command Line

Part 1 of this article introduced Access Control Lists (ACL), explained how to enable ACL on file systems, and define the ACL for files. Part 2 of this 2-part article shows how to define the Access Control List for directories, and how to remove the ACL.

Often, you want to share files among certain groups and specific users. It is a good practice to designate a directory for that purpose. You want to allow those groups and users to read, and write files in that directory, as well as create new files into the directory.

Let's first create the directory named projections.
$ mkdir projections
$ ls -ld projections/
drwxr-xr-x 2 peter peter 4096 2008-02-02 14:33 projections/


We want to share the directory among the marketing-g and sales-g groups and the user named george. Sales, marketing and george need to have full access to the directory including the creation of new files in that directory.
$ setfacl -m user:george:rwx,group:sales-g:rwx,group:marketing-g:rwx projections
$ getfacl projections/
# file: projections
# owner: peter
# group: peter
user::rwx
user:george:rwx
group::r-x
group:sales-g:rwx
group:marketing-g:rwx
mask::rwx
other::r-x


OK, george, go ahead to create a file in projections.
$ su - george
...
$ cd /home/peter/projections; touch targets.txt
$ ls -l targets.txt
-rw-r--r-- 1 george george 0 2008-02-02 15:06 targets.txt
$ getfacl targets.txt
# file: targets.txt
# owner: george
# group: george
user::rw-
group::r--
other::r--


Now, sales and marketing, and george can create or copy new files into projections.

There is a slight problem: only the creator of a file can edit it. Alas only george can modify the above targets file.

Yes, we can manually adjust the ACL of a file after its creation by running setfacl -m on the file. A much better way is to configure the projections directory such that by default all files created under it will automatically have the proper ACL.
$ setfacl -m d:user:george:rwx,d:group:sales-g:rwx,d:group:marketing-g:rwx projections


Note that the d in d:user:george:rwx means default. That is, all files created in projections will have by default read/write/execute permission for the user named george.
$ getfacl projections/ 
# file: projections
# owner: peter
# group: peter
user::rwx
user:george:rwx
group::r-x
group:sales-g:rwx
group:marketing-g:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:george:rwx
default:group::r-x
default:group:sales-g:rwx
default:group:marketing-g:rwx
default:mask::rwx
default:other::r-x


Now, sales, marketing, and george can edit mutual files.

Don't believe me, george? See for yourself.
$ su - george
$ cd /home/peter/projections
$ touch figures.txt
$ ls -l figures.txt
-rw-rw-r--+ 1 george george 0 2008-02-02 17:32 figures.txt
$ getfacl figures.txt
# file: figures.txt
# owner: george
# group: george
user::rw-
user:george:rwx #effective:rw-
group::r-x #effective:r--
group:sales-g:rwx #effective:rw-
group:marketing-g:rwx #effective:rw-
mask::rw-
other::r--


The ACL for the newly created figures.txt file is configured with the default entries from its parent directory.

To summarize, if you want to share a directory (say some_dir) between some_user and some_group such that both will have full access to the directory, including creating new files and modifying each others' files, run these commands:
$ setfacl -m   user:some_user:rwx,group:some_group:rwx    some_dir
$ setfacl -m d:user:some_user:rwx,d:group:some_group:rwx some_dir


To remove the ACL from a file or directory, use setfacl -b like this:
$ setfacl -b /home/peter/projections


Note that this removes all but the very basic user/group/others ACL entries. If all you want is to delete the default ACL for the directory, execute this instead:
$ setfacl -k /home/peter/projections