| Rev | Author | # | Line |
|---|---|---|---|
| 13 | DanielLawson | 1 | Access Control Lists (commonly known as ACLs) are a way of specifying complicated permissions to objects. |
| 2 | |||
| 3 | They can apply to many situations - [Squid] uses ACL's to dictate who can access a certain site, iptables(8) rules effectively define access control lists, and they can be implemented in a filesystem. (NTFS uses ACL's natively - ext2/ext3 doesn't.) | ||
| 4 | |||
| 5 | !!!Filesystem ACLs | ||
| 6 | |||
| 7 | Those of you from the UNIX world may remember when you have been in a situation like the following: | ||
| 8 | |||
| 9 | Techies need read/write to a directory. Marketing needs read. Joe needs full access. | ||
| 10 | |||
| 11 | This is an impossible scenario with classic owner/group/others permissions. You can't have two groups that need two different permissions. With ACLs you can! While other Unices have had their own versions of ACLs (eg solaris has setfacl and getfacl), some of the Linux filesystems (eg reiserfs and ext2) now support them, and the 2.6 series of kernels makes some attempts to standardise the ACL methods. | ||
| 12 | |||
| 13 | !!Requirements | ||
| 20 | PaulScheremet | 14 | |
| 15 | Debian Sarge comes with acl-enabled kernel and ACL utilities, but the utilities have to be installed. | ||
| 16 | To install them (as root) enter: | ||
| 17 | <verbatim> | ||
| 18 | # apt-get install acl | ||
| 19 | </verbatim> | ||
| 20 | |||
| 21 | If you are using an older or a customized distribution, please make sure to check the basic requirements: | ||
| 13 | DanielLawson | 22 | |
| 23 | The basics for using ACLs on ext2/3 partitions are: | ||
| 24 | * Having a patched kernel to allow it (get the 2.4 patch from http://acl.bestbits.at/ or run [LinuxKernel2.6]) | ||
| 25 | * Having the ACL utilities | ||
| 26 | * Having a slightly modified version of fileutils. | ||
| 27 | |||
| 28 | It is also important to have a recent version of e2fsck otherwise it'll screw up your ACLs. (This is in the [e2fsprogs|http://packages.qa.debian.org/e/e2fsprogs.html] package in Debian. The current version in woody (1.27-2) __is too old__! The solution to this is to use the backports for woody - add | ||
| 29 | deb http://www.backports.org/debian woody kernel-2.6 | ||
| 30 | to your /etc/apt/sources.list.) | ||
| 31 | |||
| 32 | !!Kernel bits | ||
| 33 | Now! | ||
| 34 | With the patched kernel, the appropriate options are (in menuconfig): | ||
| 35 | * File systems->POSIX Access Control Lists | ||
| 36 | * File systems->Ext3 journalling file system support | ||
| 37 | * File systems->Ext3 journalling file system support->Ext3 extended attributes | ||
| 38 | * File systems->Ext3 journalling file system support->Ext3 extended attributes->Ext3 POSIX Access Control Lists | ||
| 39 | |||
| 40 | If you use ext2, do the same for `Second extended fs support' a bit lower down. | ||
| 41 | I don't know how this works for other fs' (JFS, XFS) so someone else can wiki that :) | ||
| 42 | |||
| 43 | !!ACL utilities | ||
| 44 | |||
| 45 | The basic ACL utilities you will want are `getfacl' and `setfacl'. If you havn't already got them, you can get them from http://acl.bestbits.at/ . On Gentoo they are in the package [sys-apps/acl|http://packages.gentoo.org/packages/?category=sys-apps;name=acl] in Debian they are in the package [acl|http://packages.qa.debian.org/a/acl.html]. Debian also has an `acl-dev' which contains the libraries and headers and such. | ||
| 46 | |||
| 47 | !!How to use this stuff | ||
| 48 | |||
| 49 | Right! Onto the juicy stuff. First off, you need to make sure your ext2/3 partitions are mounted with the `acl' option. If they aren't, you will get this: | ||
| 14 | DanielLawson | 50 | <verbatim> |
| 13 | DanielLawson | 51 | cyan /# setfacl -m u:rgh:rwx tmp |
| 52 | setfacl: tmp: Operation not supported | ||
| 14 | DanielLawson | 53 | </verbatim> |
| 13 | DanielLawson | 54 | |
| 55 | So, make sure (acl) is in the options list in /etc/fstab for the patitions you want to use acls on. | ||
| 56 | EG: | ||
| 57 | <verbatim> | ||
| 58 | /dev/sda7 /tmp ext3 defaults,acl 0 2 | ||
| 59 | </verbatim> | ||
| 60 | |||
| 61 | !!!ACL Basics | ||
| 62 | |||
| 63 | An ACL for use with the command line looks like <tt>~[gu]:<group|user>:perms</tt>. | ||
| 64 | So, to give group `techies' rwx access to /techie_folder, you would type: | ||
| 14 | DanielLawson | 65 | <verbatim> |
| 13 | DanielLawson | 66 | setfacl -m g:techies:rwx /techie_folder |
| 14 | DanielLawson | 67 | </verbatim> |
| 13 | DanielLawson | 68 | To see the results: |
| 14 | DanielLawson | 69 | <verbatim> |
| 13 | DanielLawson | 70 | getfacl /techie_folder |
| 14 | DanielLawson | 71 | </verbatim> |
| 13 | DanielLawson | 72 | You'll get something like this: |
| 14 | DanielLawson | 73 | |
| 13 | DanielLawson | 74 | !# file: techie_folder%%% |
| 75 | !# owner: root%%% | ||
| 76 | !# group: staff%%% | ||
| 77 | user::rwx%%% | ||
| 78 | group::r-x%%% | ||
| 79 | __group:techies:rwx__%%% | ||
| 80 | mask::rwx%%% | ||
| 81 | other::r-x%%% | ||
| 82 | |||
| 83 | The -m just means you are modifying the ACL directly from the command line, as opposed to from stdin later. man setfacl reveals all! | ||
| 14 | DanielLawson | 84 | |
| 85 | Additional informations can be found in the [man pages|http://acl.bestbits.at/man/man.shtml] or in this [article|http://www.linux-mag.com/2003-09/acls_01.html]. | ||
| 13 | DanielLawson | 86 | |
| 87 | !!!ACL's with Samba | ||
| 88 | |||
| 16 | PaulScheremet | 89 | Samba 3 supports using libacl to support full ACL access to Samba shares. |
| 90 | To ensure it's compiled into Samba do: | ||
| 91 | <verbatim> | ||
| 92 | testparm -v | ||
| 93 | </verbatim> | ||
| 94 | Then install libacl. Now it seems like you don't have to do anything more. See http://www.bluelightning.org/linux/samba_acl_howto/ for a small howto. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()