Introduction
What are ACLs?
ACLs versus Traditional Permissions
ACLs though powerful add additional complexity to the system and do have some limitations discussed further down this article. You will notice throughout the Bonsai Framework we add ACLs only when absolutely necessary.
Limitations
Support in Utilities - For example, the version of GNU tar packaged with the OS may not back up or restore ACLs.
Standardizing Across Operating Systems - Moving files with ACLs between operating systems that both support ACLs may not work.
Copying Files - Even though you set ACLs on a directory so new files created will inherent permissions, the copy command will ignore this.
ACLs and Groups
The most scalable way to use ACLs is to apply groups. A tutorial approach will be used to illustrate the commands.
The scenario is we want to provide website hosting for two different clients who we will start by categorizing into two different groups,
User | Group | Web Directory | File Access | Directory Access |
---|---|---|---|---|
Daily Planet Employees | wgdailyplanet | /home/www.dailyplanet.com/ | Read, Write and Execute | Read, Write and Execute |
LexCorp Employees | wglexcorp | /hom/www.lexcorp.com/ | Read, Write and Execute | Read, Write and Execute |
Apache Server | www-data | /home/www.dailyplanet.com/ /home/www.lexcorp.com/ | Read | Read and Execute (required to transverse directories) |
Staff Users | staff | /home/www.dailyplanet.com/ | Read | Read and Execute (required to transverse directories) |
We do not want employees from different companies access or even have awareness of each others web directory. At the same time, the Apache Server running as user www-data belonging to group www-data also needs access to the directories. We also want to grant users of the staff group read access for support purposes.
The utility setfacl is used to add the groups to the ACL for the respective directories,
sudo /home/ # Normal permissions sudo chown -R svradm:svradm ./www.dailyplanet.com/ sudo chmod -R o-rwx ./www.dailyplanet.com/ # ACL permissions sudo setfacl -Rm g:wgdailyplanet:rwx ./www.dailyplanet.com/ # not right, putting execute on files sudo setfacl -Rm g:www-data:r ./www.dailyplanet.com/ # not quite right, need execute on directories only sudo setfacl -Rm g:staff:r ./www.dailyplanet.com/
Once we are happy with the permissions, change the default ACLs so any files or folders created underneath the parent directories are maintained,
getfacl --access ./www.dailyplanet.com/ | sudo setfacl -d -RM - ./www.dailyplanet.com/
getfacl --access generates the details of the permissions we applied to the directory and the setfacl with the following parameters,
-d = Change default permissions for newly created files and folder.
-M = Take as input files. Because the dash is used, the file is instead standard input.
R = Apply changes recursively to folders and files.
Repeat the same steps for www.lexcorp.com and change the group accordingly,
sudo /home/ # Normal permissions sudo chown -R svradm:svradm ./www.lexcorp.com/ sudo chmod -R o-rwx ./www.lexcorp.com/ # ACL permissions sudo setfacl -Rm g:wglexcorp:rwx ./www.lexcorp.com/ sudo setfacl -Rm g:www-data:r ./www.lexcorp.com/ sudo setfacl -Rm g:staff:r ./www.lexcorp.com/ # Apply default ACLs getfacl --access ./www.lexcorp.com/ | sudo setfacl -d -RM - ./www.lexcorp.com/
Still one problem is that if files exist they have read from other... to fix this... maybe because I did it after, to test again...
References
Good introduction from the Ubuntu docs - https://help.ubuntu.com/community/FilePermissionsACLs
Slightly Skeptical view on ACLs - http://www.softpanorama.org/Articles/slightly_skeptical_view_on_unix_acl.shtml
/home/www.dailyplanet.com/
/home/www.lexcorp.com/