Page History

...

Advanced permissions beyond user group otherthe traditional Unix permissions. It has powerful features such as being able to give permissions to more than one user or and more than one group.

ACLs versus Traditional Permissions

ACLs though powerful add additional complexity to the system and do have some limitations discussed further below. You will notice throughout the Bonsai Framework we use ACLs only when absolutely necessary.

Limitations

Support in Utilities - For example, the version of GNU tar packaged with the OS may not back up or restore ACLs.

Standardizing Across Operating Systems - Moving files with ACLs between operating systems that both support ACLs may not workumask - ACLs are only applied generally only during create. More specifically, create(), mkdir(), mknod(), mkfifo(), or open(). Other operations will be limited by what the umask of the user performing the operation such as copy or move. (I need to go into more detail here but this is very very limiting and intuitively not the behaviour most people expect.

Copying Files - This is no-longer an issue with modern (2012 is when I checked) versions of Ubuntu and I would guess other *nix systems. If you want to preserve specific ACL permissions and not inherit, use -p. With an older system, check that when setting default ACLs on a directory, the following commands will inherit permissions properly:  local copy, sftp remote create and sftp remote copy.

Move - Moving a file(s) or folder(s) created outside of an ACL directory into an ACL directory will not result in inheritance of permissions. (even if you have specified inheritance in the ACL directory)

Backup - The most used backup command in *nix, tar, does not support ACLs unless modified. Some distributions like redhat have this built into tar. Otherwise your options are to use star or manually backup and restore the ACLs. Options are covered in this article.

Copying Files - This is no-longer an issue with modern (2012 is when I checked) versions of Ubuntu and I would guess other *nix systems. If you want to preserve specific ACL permissions and not inherit, use -p. With an older system, check that when setting default ACLs on a directory, the following commands will inherit permissions properly:  local copy, sftp remote create and sftp remote copy.

SFTP - copy/create will inherit ACLs, but move from outside needs to be testedSupport in Utilities - For example, the version of GNU tar packaged with the OS may not back up or restore ACLs.

Standardizing Across Operating Systems - Moving files with ACLs between operating systems that both support ACLs may not work.

ACLs and Groups

The most scalable way to use ACLs is to apply groups. A tutorial approach will be used to illustrate the commands.

The scenario is we want to provide website hosting for two different clients, The Daily Planet and LexCorp. Employees from the respective companies will kept in the system under the following groups, wgdailyplanet and wglexcorp. The web server process also plays a factor and uses the group www-data.

We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to all the directories. We also want to grant users of the staff group read access for support purposes. Finally, we want all subequent subsequent directories and files under the respective Web Root Directories to inherit the same permissions.

...

cd ~
sudo mv web /opt/
cd /opt/
sudo chown -R serveradmin:staff web

Repeat the same steps Change the group ownership and apply acls for lexcorp.com and change the group accordingly,

...

Testing Restrictions

User Lex Luthor has been given access to his directory "lexcorp.com" but learns of the "dailyplanet.com" directory by using his robots to spy on Clark Kent's computer. So Lex terminals in...

...