View Source: AccessControlLists - Waikato Linux Users Group

Edit PageHistory Diff Info LikePages
Access Control Lists (commonly known as ACLs) are a way of specifying complicated permissions to objects.

They can apply to many situations - [Squid] uses ACL's to dictate who can access a certain site, iptables(8) rules effectively define access control lists, and they can be implemented in a filesystem.  (NTFS uses ACL's natively - ext2/ext3 doesn't.)

!!!Filesystem ACLs

Those of you from the UNIX world may remember when you have been in a situation like the following:

Techies need read/write to a directory. Marketing needs read. Joe needs full access.

This is an impossible scenario with classic owner/group/others permissions. You can't have two groups that need two different permissions. With ACLs you can! While other Unices have had their own versions of ACLs (eg solaris has setfacl and getfacl), some of the Linux filesystems (eg reiserfs and ext2) now support them, and the 2.6 series of kernels makes some attempts to standardise the ACL methods.

!!Requirements

Debian Sarge comes with acl-enabled kernel and ACL utilities, but the utilities have to be installed.
To install them (as root) enter:
<verbatim>
# apt-get install acl
</verbatim>

If you are using an older or a customized distribution, please make sure to check the basic requirements:

The basics for using ACLs on ext2/3 partitions are:
* Having a patched kernel to allow it (get the 2.4 patch from http://acl.bestbits.at/ or run [LinuxKernel2.6])
* Having the ACL utilities
* Having a slightly modified version of fileutils.

It is also important to have a recent version of e2fsck otherwise it'll screw up your ACLs. (This is in the [e2fsprogs|http://packages.qa.debian.org/e/e2fsprogs.html] package in Debian. The current version in woody (1.27-2) __is too old__! The solution to this is to use the backports for woody - add
 deb http://www.backports.org/debian woody kernel-2.6
to your /etc/apt/sources.list.)

!!Kernel bits
Now!
With the patched kernel, the appropriate options are (in menuconfig):
* File systems->POSIX Access Control Lists
* File systems->Ext3 journalling file system support
* File systems->Ext3 journalling file system support->Ext3 extended attributes
* File systems->Ext3 journalling file system support->Ext3 extended attributes->Ext3 POSIX Access Control Lists

If you use ext2, do the same for `Second extended fs support' a bit lower down.
I don't know how this works for other fs' (JFS, XFS) so someone else can wiki that :)

!!ACL utilities

The basic ACL utilities you will want are `getfacl' and `setfacl'. If you havn't already got them, you can get them from http://acl.bestbits.at/ . On Gentoo they are in the package [sys-apps/acl|http://packages.gentoo.org/packages/?category=sys-apps;name=acl] in Debian they are in the package [acl|http://packages.qa.debian.org/a/acl.html]. Debian also has an `acl-dev' which contains the libraries and headers and such.

!!How to use this stuff

Right! Onto the juicy stuff. First off, you need to make sure your ext2/3 partitions are mounted with the `acl' option. If they aren't, you will get this:
<verbatim>
 cyan /# setfacl -m u:rgh:rwx tmp
 setfacl: tmp: Operation not supported
</verbatim>

So, make sure (acl) is in the options list in /etc/fstab for the patitions you want to use acls on.
EG:
<verbatim>
 /dev/sda7      /tmp        ext3     defaults,acl        0 2
</verbatim>

!!!ACL Basics

An ACL for use with the command line looks like <tt>~[gu]:<group|user>:perms</tt>.
So, to give group `techies' rwx access to /techie_folder, you would type:
<verbatim>
 setfacl -m g:techies:rwx /techie_folder
</verbatim>
To see the results:
<verbatim>
 getfacl /techie_folder
</verbatim>
You'll get something like this:

!# file: techie_folder%%%
!# owner: root%%%
!# group: staff%%%
user::rwx%%%
group::r-x%%%
__group:techies:rwx__%%%
mask::rwx%%%
other::r-x%%%

The -m just means you are modifying the ACL directly from the command line, as opposed to from stdin later. man setfacl reveals all!

Additional informations can be found in the [man pages|http://acl.bestbits.at/man/man.shtml] or in this [article|http://www.linux-mag.com/2003-09/acls_01.html].

!!!ACL's with Samba

Samba 3 supports using libacl to support full ACL access to Samba shares.
To ensure it's compiled into Samba do:
<verbatim>
  testparm -v
</verbatim>
Then install libacl. Now it seems like you don't have to do anything more.  See http://www.bluelightning.org/linux/samba_acl_howto/ for a small howto.
2 pages link to AccessControlLists:
Last edited on Monday, February 20, 2006 3:48:26 am by PaulScheremet
Edit PageHistory Diff Info LikePages