Penguin

Access Control Lists (commonly known as ACLs) are a way of specifying complicated permissions to objects.

They can apply to many situations - Squid uses ACL's to dictate who can access a certain site, iptables(8) rules effectively define access control lists, and they can be implemented in a filesystem. (NTFS uses ACL's natively - ext2/ext3 doesn't.)

Filesystem ACLs

Those of you from the UNIX world may remember when you have been in a situation like the following:

Techies need read/write to a directory. Marketing needs read. Joe needs full access.

This is an impossible scenario with classic owner/group/others permissions. You can't have two groups that need two different permissions. With ACLs you can! While other Unices have had their own versions of ACLs (eg solaris has setfacl and getfacl), some of the Linux filesystems (eg reiserfs and ext2) now support them, and the 2.6 series of kernels makes some attempts to standardise the ACL methods.

Requirements

Debian Sarge comes with acl-enabled kernel and ACL utilities, but the utilities have to be installed. To install them (as root) enter:

# apt-get install acl

If you are using an older or a customized distribution, please make sure to check the basic requirements:

The basics for using ACLs on ext2/3 partitions are:

It is also important to have a recent version of e2fsck otherwise it'll screw up your ACLs. (This is in the e2fsprogs package in Debian. The current version in woody (1.27-2) is too old! The solution to this is to use the backports for woody - add

deb http://www.backports.org/debian woody kernel-2.6

to your /etc/apt/sources.list.)

Kernel bits

Now! With the patched kernel, the appropriate options are (in menuconfig):

  • File systems->POSIX Access Control Lists
  • File systems->Ext3 journalling file system support
  • File systems->Ext3 journalling file system support->Ext3 extended attributes
  • File systems->Ext3 journalling file system support->Ext3 extended attributes->Ext3 POSIX Access Control Lists

If you use ext2, do the same for `Second extended fs support' a bit lower down. I don't know how this works for other fs' (JFS, XFS) so someone else can wiki that :)

ACL utilities

The basic ACL utilities you will want are `getfacl' and `setfacl'. If you havn't already got them, you can get them from http://acl.bestbits.at/ . On Gentoo they are in the package sys-apps/acl in Debian they are in the package acl. Debian also has an `acl-dev' which contains the libraries and headers and such.

How to use this stuff

Right! Onto the juicy stuff. First off, you need to make sure your ext2/3 partitions are mounted with the `acl' option. If they aren't, you will get this:

 cyan /# setfacl -m u:rgh:rwx tmp
 setfacl: tmp: Operation not supported

So, make sure (acl) is in the options list in /etc/fstab for the patitions you want to use acls on. EG:

 /dev/sda7      /tmp        ext3     defaults,acl        0 2

ACL Basics

An ACL for use with the command line looks like [gu]:<group|user>:perms. So, to give group `techies' rwx access to /techie_folder, you would type:

 setfacl -m g:techies:rwx /techie_folder

To see the results:

 getfacl /techie_folder

You'll get something like this:

# file: techie_folder

# owner: root

# group: staff

user::rwx
group::r-x
group:techies:rwx
mask::rwx
other::r-x

The -m just means you are modifying the ACL directly from the command line, as opposed to from stdin later. man setfacl reveals all!

Additional informations can be found in the man pages or in this article.

ACL's with Samba

Samba 3 supports using libacl to support full ACL access to Samba shares. To ensure it's compiled into Samba do:

  testparm -v

Then install libacl. Now it seems like you don't have to do anything more. See http://www.bluelightning.org/linux/samba_acl_howto/ for a small howto.