Introduction
The permissions system you'll probably be familiar with on Linux involves allocating an owner and group to every file (inherited from the user who created it) and setting the read, write and execute permissions for the owner, the group and for everyone else. This system is fine for most situations, however in certain circumstances you may find these somewhat restrictive.
For instance if you have two users working on a small project - small enough that creating a group for the two users to collectively use would be overkill - it'd be useful to simply give full permissions on those files to both users. Alternatively what if you wanted to grant the permissions to access a specific directory to two large groups - again it'd be a lot of work to create a new group with all these people in, and ensure that it is maintained as the original groups have users added and removed.
With those two examples; the easiest solution would be to simply define the rights for multiple users or groups directly on the files. This tutorial will demonstrate how to achieve this.
Taking a Closer Look at Your Files
We'll begin this by looking at the standard permissions in a selection of files, use the ls command, like so.
: chrish@delli@15:51 ; ls -l
total 12
drwxr-xr-x 2 chrish chrish 4096 2010-03-23 15:51 directory
-rw-r--r-- 1 chrish chrish 1875 2010-03-23 15:50 larger.file
-rw-r--r-- 1 chrish chrish 99 2010-03-23 15:51 smaller.file
Here we can see that the two files in the current working directory are Readable and Writeable to by their owner, whom is chrish, and that they are Readable by both those in the group chrish, and also by everyone else. The directory, 'directory' we can see is only Writeable to by user chrish, and user chrish, members of group chris and everyone else may Read and eXecute it (for a directory the eXecute switch allows the directory to be traversed).
If you are not entirely ofay with what we have covered so far, it would be useful to consult a tutorial on basic Unix filesystem permissions (such as the one found at http://www.library.yale.edu/wsg/docs/permissions/).
Now we will use a different tool to view the permissions, getfacl (GET Filesystem Access Control List).
: chrish@delli@15:51 ; getfacl larger.file
# file: larger.file
# owner: chrish
# group: chrish
user::rw-
group::r--
other::r--
There we can see a more drawn-out representation of the permissions of the file, 'larger.file'. However it is exactly the same data as shown in the ls for that file. It is only when we apply extended access control list permissions to the file that this tool becomes useful.
Setting Extended Access Controls
Let's begin by modifying the ACL to provide read and write access for group 'tech'. To do this using the setfacl (SET Filesystem Access Control List) command with the modify switch, -m. In this mode you can modify any of the existing ACL permissions as well as creating new ones. The format of the modify parameter is:
TYPE:USER/GROUP:PERMISSIONS
Type can be either 'g' or 'u' depending on whether you are setting group or individual user permissions. The user or group is the for the specific one you want to set permissions for. Finally the permissions is the string rwx (read, write and execute) with whichever permissions you don't want active replaced with a '-'. Therefore the parameter u:piotr:r-x would provide user piotr with read and execute permissions on whatever file this would be applied to. Here's an example:
: chrish@delli@16:35 ; setfacl -m g:tech:rw- larger.file
You can also use the octal-mode style permissions instead of rwx notation, like so:
: chrish@delli@16:35 ; setfacl -m g:tech:6 larger.file
If you get an "Operation not supported" error while attempting to use the setfacl command it is possible that the filesystem you are trying to use it on does not have ACLs enabled. To enable them you'll have to remount the filesystem using a command like the following - this requires root access and not necessarily a great idea to do on a production server.
: root@delli@16:33 ; mount -o remount,acl /home # presuming that
we're working on the /home partition.
If that fixes the problem, you'll need to update the configuration file /etc/fstab so that during future system boots the filesystem will be amounted with the acl option set. To do this consult the documentation provided for your Linux distribution.
If all worked out you should see a new line in the output of getfacl, like so.
: chrish@delli@16:40 ; getfacl larger.file
# file: larger.file
# owner: chrish
# group: chrish
user::rw-
group::r--
**group:tech:rw-**
mask::rw-
other::r--
Now if we do an ls in this directory we will see that 'larger.file' now has a plus after its permissions string. This notifies us that the file makes use of filesystem ACLs.
: chrish@delli@10:48 ; ls -l
total 12
drwxr-xr-x 2 chrish chrish 4096 2010-03-23 15:51 directory
-rw-rw-r--+ 1 chrish chrish 1875 2010-03-23 15:50 larger.file
-rw-r--r-- 1 chrish chrish 99 2010-03-23 15:51 smaller.file
The following example we assign read and write permission for the user 'zabbix' on 'larger.file'.
setfacl -m u:zabbix:6 larger.file
Finally, to use setfacl recursively use the -R switch, and to remove ACLs from a file use the -b switch.
setfacl -R -u:temporary-worker:6 /var/project/new_site
setfacl -b /home/chrish/public_html/acl_mistake.file
If you are interested in learning more about filesystem ACLs you may find the more article at
http://www.vanemery.com/Linux/ACL/linux-acl.html goes into a little more detail, also the article at http://www.suse.de/~agruen/acl/linux-acls/online/ covers just about every aspect of this topic - although it is aimed at a fairly technical audience.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment