...
SFTP - copy/create will inherit ACLs, but move from outside needs to be tested.
Creating Users and Groups
Code Block | ||
---|---|---|
| ||
sudo --gid 3100 dailyplanet
sudo --gid 3101 lexcorp
sudo useradd -d /opt/web/php/ckent -m -g wgdailyplanet -u 4001 -c "Clark Kent" -s /bin/bash ckent
sudo useradd -d /opt/web/php/lluthor -m -g wglexcorp -u 4005 -c "Lex Luthor" -s /bin/bash lluthor |
ACLs and Groups
The most scalable way to use ACLs is to apply groups. A tutorial approach will be used to illustrate the commands.
...
User | Group | Web Directory | File Access | Directory Access |
---|---|---|---|---|
Daily Planet Employees | wgdailyplanet | /home/www.dailyplanet.comopt/web/php/dailyplanet/ | Read, Write and Execute | Read, Write and Execute |
LexCorp Employees | wglexcorp | /home/www.lexcorp.comopt/web/php/lexcorp/ | Read, Write and Execute | Read, Write and Execute |
Apache Server | www-data | /home/www.dailyplanet.comopt/web/php/dailyplanet/ /home/www.lexcorp.comopt/web/php/lexcorp/ | Read | Read and Execute (required to transverse directories) |
Staff Users | staff | /home/www.dailyplanet.comopt/web/php/dailyplanet/ | Read | Read and Execute (required to transverse directories) |
Other | No Access | No Access |
We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes.
Creating the Directory Structure
The utility setfacl is used to add the groups to the ACL for the respective directories,
Take a look at the ACLs,
Code Block | ||
---|---|---|
| ||
cd /homeopt/web/php/ # Normal permissions sudo chmod -R o-rwx ./www.dailyplanet.com/ # ACL permissions sudo setfacl -Rm g:wgdailyplanet:rwX ./www.dailyplanet.com/ sudo setfacl -Rm g:www-data:rX ./www.dailyplanet.com/ sudo setfacl -Rm g:staff:rX ./www.dailyplanet.com/ |
Take a look at the ACLs,
Code Block | ||
---|---|---|
| ||
getfacl ./www.dailyplanet.com/ # file: www.dailyplanet.com # owner: ckent # group: wgdailyplanet user::rwx group::r-x group:www-data:r-x group:staff:r-x group:wgdailyplanet:rwx mask::rwx other::--- |
...
Code Block | ||
---|---|---|
| ||
getfacl --default ./www.dailyplanet.com/ # file: www.dailyplanet.com/ # owner: ckent # group: wgdailyplanet |
...
Code Block | ||
---|---|---|
| ||
getfacl --access ./www.dailyplanet.com/ | sudo setfacl -d -RM - ./www.dailyplanet.com/ |
getfacl --access = retrieves the ACL the permissions applied to the directory only (default permissions are not returned). The details are then piped to setfacl and the parameters read,
...
Code Block | ||
---|---|---|
| ||
getfacl --default ./www.dailyplanet.com/ # file: www.dailyplanet.com/ # owner: ckent # group: wgdailyplanet user::rwx group::r-x group:www-data:r-x group:staff:r-x group:wgdailyplanet:rwx mask::rwx other::--- |
...
Code Block | ||
---|---|---|
| ||
getfacl ./www.dailyplanet.com/ # file: www.dailyplanet.com/ # owner: ckent # group: wgdailyplanet user::rwx group::r-x group:www-data:r-x group:staff:r-x group:wgdailyplanet:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:www-data:r-x default:group:staff:r-x default:group:wgdailyplanet:rwx default:mask::rwx default:other::--- |
...
Code Block | ||
---|---|---|
| ||
cd /homeopt/web/php/ # Normal permissions sudo chmod -R o-rwx ./www.lexcorp.com/ # ACL permissions sudo setfacl -Rm g:wglexcorp:rwX ./www.lexcorp.com/ sudo setfacl -Rm g:www-data:rX ./www.lexcorp.com/ sudo setfacl -Rm g:staff:rX ./www.lexcorp.com/ # Apply default ACLs getfacl --access ./www.lexcorp.com/ | sudo setfacl -d -RM - ./www.lexcorp.com/ |
Backup and Restore
Introduction
...
Code Block | ||
---|---|---|
| ||
sudo getfacl -R www.dailyplanet.com/ > ~/www.dailyplanet.com.acl.bck.txt |
It is important to run getfacl with sudo so that getfacl can properly transverse the directories and owner comments or group comments will be retained.
...
Code Block | ||
---|---|---|
| ||
cd /homeopt/web/php/ sudo setfacl --restore ./bck.www.dailyplanet.com.acl.bck.txt |
References
Good introduction from the Ubuntu docs - https://help.ubuntu.com/community/FilePermissionsACLs
Slightly Skeptical view on ACLs - http://www.softpanorama.org/Articles/slightly_skeptical_view_on_unix_acl.shtml
Got me to understand why execute permission was set on the groups - http://superuser.com/questions/180545/setting-differing-acls-on-directories-and-files
Notes on backup and restoring ACLs using dump file - http://www.projectenvision.com/blog/4/Enable-Support-for-ACL-in-Debian-Ubuntu
Good article on masks - http://www.novell.com/documentation/suse91/suselinux-adminguide/html/apbs03.html