Page History

...

SFTP - copy/create will inherit ACLs, but move from outside needs to be tested.

Creating Users and Groups

sudo --gid 3100 dailyplanet
sudo --gid 3101 lexcorp
sudo useradd -d /opt/web/php/ckent -m -g wgdailyplanet -u 4001 -c "Clark Kent" -s /bin/bash ckent
sudo useradd -d /opt/web/php/lluthor -m -g wglexcorp -u 4005 -c "Lex Luthor" -s /bin/bash lluthor

ACLs and Groups

The most scalable way to use ACLs is to apply groups. A tutorial approach will be used to illustrate the commands.

...

We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes.

Creating the Directory Structure

The utility setfacl is used to add the groups to the ACL for the respective directories,

Take a look at the ACLs,

cd /homeopt/web/php/
# Normal permissions
sudo chmod -R o-rwx ./www.dailyplanet.com/
# ACL permissions
sudo setfacl -Rm g:wgdailyplanet:rwX ./www.dailyplanet.com/
sudo setfacl -Rm g:www-data:rX ./www.dailyplanet.com/
sudo setfacl -Rm g:staff:rX ./www.dailyplanet.com/

Take a look at the ACLs,

getfacl ./www.dailyplanet.com/
# file: www.dailyplanet.com
# owner: ckent
# group: wgdailyplanet
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
group:wgdailyplanet:rwx
mask::rwx
other::---

...

getfacl --default ./www.dailyplanet.com/
# file: www.dailyplanet.com/
# owner: ckent
# group: wgdailyplanet

...

getfacl --access ./www.dailyplanet.com/ | sudo setfacl -d -RM - ./www.dailyplanet.com/

getfacl --access =  retrieves the ACL the permissions applied to the directory only (default permissions are not returned). The details are then piped to setfacl and the parameters read,

...

getfacl --default ./www.dailyplanet.com/
# file: www.dailyplanet.com/
# owner: ckent
# group: wgdailyplanet
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
group:wgdailyplanet:rwx
mask::rwx
other::---

...

getfacl ./www.dailyplanet.com/
# file: www.dailyplanet.com/
# owner: ckent
# group: wgdailyplanet
user::rwx
group::r-x
group:www-data:r-x
group:staff:r-x
group:wgdailyplanet:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:www-data:r-x
default:group:staff:r-x
default:group:wgdailyplanet:rwx
default:mask::rwx
default:other::---

...

cd /homeopt/web/php/
# Normal permissions
sudo chmod -R o-rwx ./www.lexcorp.com/
# ACL permissions
sudo setfacl -Rm g:wglexcorp:rwX ./www.lexcorp.com/
sudo setfacl -Rm g:www-data:rX ./www.lexcorp.com/
sudo setfacl -Rm g:staff:rX ./www.lexcorp.com/
# Apply default ACLs
getfacl --access ./www.lexcorp.com/ | sudo setfacl -d -RM - ./www.lexcorp.com/

Backup and Restore

Introduction

...

sudo getfacl -R www.dailyplanet.com/ > ~/www.dailyplanet.com.acl.bck.txt

It is important to run getfacl with sudo so that getfacl can properly transverse the directories and owner comments or group comments will be retained.

...

cd /homeopt/web/php/
sudo setfacl --restore ./bck.www.dailyplanet.com.acl.bck.txt

References

Good introduction from the Ubuntu docs - https://help.ubuntu.com/community/FilePermissionsACLs

Slightly Skeptical view on ACLs - http://www.softpanorama.org/Articles/slightly_skeptical_view_on_unix_acl.shtml

Got me to understand why execute permission was set on the groups - http://superuser.com/questions/180545/setting-differing-acls-on-directories-and-files

Notes on backup and restoring ACLs using dump file - http://www.projectenvision.com/blog/4/Enable-Support-for-ACL-in-Debian-Ubuntu

Good article on masks - http://www.novell.com/documentation/suse91/suselinux-adminguide/html/apbs03.html