...
SFTP - copy/create will inherit ACLs, but move from outside needs to be tested.
Creating Users and Groups
Code Block | ||
---|---|---|
| ||
sudo --gid 3100 wgdailyplanet
sudo --gid 3101 wglexcorp
sudo useradd -d /opt/web/php/ckent -m -g wgdailyplanet -u 4001 -c "Clark Kent" -s /bin/bash ckent
sudo useradd -d /opt/web/php/lluthor -m -g wglexcorp -u 4006 -c "Lex Luthor" -s /bin/bash lluthor |
ACLs and Groups
The most scalable way to use ACLs is to apply groups. A tutorial approach will be used to illustrate the commands.
The scenario is we want to provide website hosting for two different wgdailyplanets who we will start by categorizing into two different groups,clients, The Daily Planet and LexCorp. Employees from the respective companies will kept in the system under the following groups, wgdailyplanet and wglexcorp.
User | Group | Web Root Directory | File Access | Directory Access |
---|---|---|---|---|
Clark Kent | wgdailyplanet | /opt/web/php/dailyplanet/ | Read, Write and Execute | Read, Write and Execute |
Lex Lex Luthor | wglexcorp | /opt/web/php/lexcorp/ | Read, Write and Execute | Read, Write and Execute |
Apache Server | www-data | /opt/web/php/dailyplanet/ /opt/web/php/lexcorp/ | Read | Read and Execute (required to transverse directories) |
Staff Users | staff | /opt/web/php/dailyplanet/ | Read | Read and Execute (required to transverse directories) |
Other | No Access | No Access |
We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subequent directories and files under the respective Web Root Directories to inherit the same permissions. This is just not possible using standard Unix groups.
Creating Users and Groups
First create the groups following the standards of the Bonsai Framework,
Code Block | ||
---|---|---|
| ||
sudo --gid 3100 wgdailyplanet
sudo --gid 3101 wglexcorp
sudo useradd -d /opt/web/php/ckent -m -g wgdailyplanet -u 4001 -c "Clark Kent" -s /bin/bash ckent
sudo useradd -d /opt/web/php/lluthor -m -g wglexcorp -u 4006 -c "Lex Luthor" -s /bin/bash lluthor |
Creating the Directory Structure and Permissions
...