...
The most scalable way to use ACLs is to apply groups an we will start learning with an example. A tutorial approach will be used to illustrate the commands.
The scenario is we want to provide website hosting for two different clients who we will start by categorizing into two different groups,
User | Group | Web Directory | File Access | Directory Access |
---|---|---|---|---|
Daily Planet Employees | dailyplanetwgwgdailyplanet | /home/www.dailyplanet.com/ | Read, Write and Execute | Read, Write and Execute |
LexCorp Employees | lexcorpwgwglexcorp | /hom/www.lexcorp.com/ | Read, Write and Execute | Read, Write and Execute |
Apache Server | www-data | /home/www.dailyplanet.com/ /home/www.lexcorp.com/ | Read | Read and Execute (required to transverse directories) |
Staff Users | staff | /home/www.dailyplanet.com/ | Read | Read and Execute (required to transverse directories) |
We do not want employees from different companies access or even have awareness of each other's others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes.
The utility setfacl is used to add the groups to the ACL for the respective directories,
Code Block | ||
---|---|---|
| ||
sudo /home/
sudo setfacl -m g:wgdailyplanet:rwx ./www.dailyplanet.com/
sudo setfacl -m g:www-data:r ./www.dailyplanet.com/
sudo setfacl -m g:staff:r ./www.dailyplanet.com/ |
Once we are happy with the permissions, change the default ACLs so any files or folders created underneath the parent directories are maintained,
Code Block | ||
---|---|---|
| ||
getfacl --access ./www.dailyplanet.com/ | setfacl -d -M- ./www.dailyplanet.com/
getfacl --access ./www.lexcorp.com/ | setfacl -d -M- ./www.lexcorp.com/ |
getfacl --access generates the details of the permissions we applied to the directory and the setfacl with the -d and -M parameters changes the default ACL for new files and directories.
Note |
---|
Notice the extra dash after -M? I have no idea why we need it, it was just in the example at the bottom of the man pages for setfacl. If you know, please share. |
References
Good introduction from the Ubuntu docs - https://help.ubuntu.com/community/FilePermissionsACLs
Slightly Skeptical view on ACLs - http://www.softpanorama.org/Articles/slightly_skeptical_view_on_unix_acl.shtml
/home/www.dailyplanet.com/
/home/www.lexcorp.com/