m (Fixed templates) |
(add old tag) |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{{ | {{old}} | ||
{{Admon/ | {{Admon/caution | Section is ready for conversion to XML}} | ||
== Access Control Lists == | == Access Control Lists == | ||
| Line 182: | Line 182: | ||
</pre> | </pre> | ||
{{Admon/tip | The <code>/dirx</code> directory must reside on a partition mounted with the <code>acl</code> option to copy the ACL of <code>file1</code> to <code>file2</code>.}} | {{Admon/tip | ''The <code>/dirx</code> directory'' must reside on a partition mounted with the <code>acl</code> option to copy the ACL of <code>file1</code> to <code>file2</code>.}} | ||
<pre>cp -a /dir1/dir2 /dirx/dir3 | <pre>cp -a /dir1/dir2 /dirx/dir3 | ||
</pre> | </pre> | ||
{{Admon/tip | ''The <code>/dirx</code> directory'' must reside on a partition mounted with the <code>acl</code> option to copy the ACLs of <code>dir2</code> to <code>dir3</code>.}} | |||
{{Admon/tip | The <code>/dirx</code> directory must reside on a partition mounted with the <code>acl</code> option to copy the ACLs of <code>dir2</code> to <code>dir3</code>.}} | |||
The <code>mv</code> command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs. | The <code>mv</code> command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs. | ||
| Line 220: | Line 219: | ||
* <code>man setfacl</code> | * <code>man setfacl</code> | ||
* <code>man star</code> | * <code>man star</code> | ||
{{Admon/warning | Section is ready for conversion to XML}} | |||
[[Category:Administration Guide]] | |||
Latest revision as of 20:58, 19 September 2015
This page has been marked as "old", and likely contains content that is irrelevant or incorrect. If you can, please update this page. This page will be deleted if action is not taken.
.png){kind=small}
Access Control Lists
What Are ACLs And Their Purpose
Access control lists (ACLs) are a kernel-level feature of Fedora's default ext3 file system. ACLs provide an important level of flexibility for managing file permissions, that is, who or what has the rights to read, write, or execute a file.
Traditional Linux/UNIX file permissions (read, write, execute) are defined for three classes of users: the file owner, the file group, and others. This means that when a group is granted access to a particular shared resource (document, directory, printer, etc.), the same level of access is granted to all members of a group.
In practice, it is often required that some of the group members have limited or no access to the shared resource, or that the access is granted to other users who are not members of the particular group. In a non-ACL file permissions scheme this requires creation of numerous new groups, which quickly becomes difficult to manage, especially on large systems.
Fedora provides ACL support for ext3, NFS-exported ext3, and ext3 file systems accessed via Samba (which provides CIFS/Microsoft Windows file sharing.)
The most common file manipulation utilities, such as mv, cp, and ls also support ACLs. To preserve ACLs when archiving files, the star utility should be used instead of tar, which does not support ACLs.
There are two types of ACLs:
- Access ACL - ACL that controls the level of access to the object (file or directory)
- Default ACL - ACL associated with a directory. If set, all objects within a directory inherit the default ACL as their initial access ACL
Each ACL is composed of a set of ACL entries. Each ACL entry specifies access permissions to the object as a combination of read, write, and execute permissions for an individual user or a group.
Using Access Control Lists
There are a few prerequisites to using ACLs:
- File system must support ACLs
- File system must be mounted with
acloption - RPM package
aclmust be installed
Enabling ACLs on a file system
On a default Fedora installation, file systems are mounted without ACL support. To enable ACLs for a local file system, edit the /etc/fstab file and add the acl option for the desired partition. The entry might look similar to:
LABEL=/data /data ext3 rw,acl 1 2
This entry ensures that ACL support is preserved after reboot but reboot is not required to enable ACLs. To accomplish this on an already mounted /data partition run:
su -c '/bin/mount -o remount /data'
Additional parameters are not required when mounting ACL enabled remote Samba shares. If the client accessing an NFS share can read ACLs and the NFS share is exported from an ACL enabled file system, ACLs are utilized by the client.
Setting ACLs and retrieving ACL information
ACLs are controlled by two utilities:
getfaclis used to retrieve ACL informationsetfaclis used to set or modify ACL entry
To view ACL information on an object (directory docs) in the /data directory, run:
getfacl /data/docs
The output shows ACL information associated with the docs directory:
getfacl: Removing leading '/' from absolute path names user::rwx group::r-x other::r-x
Since ACLs are not yet set, this information corresponds to common permissions on the /data/docs directory:
ls -dl /data/docs drwxr-xr-x 5 jerry black 4096 Nov 1 19:57 /data/docs
To set an ACL for an object, run setfacl:
setfacl -m <rules> <object>
The command option -m is used to create or modify an ACL entry. For an object without previously set ACLs, a new ACL entry is created. If an object already has an ACL entry, option -m modifies the existing ACL entry by appending the new ACL entry to the object's ACL.
--set option, all user, group, and others permissions must be defined. The command option
--set is used to create a new ACL or replace all existing ACLs on the object, so it needs a complete definition for the setting.The <object> is a file or a directory on which an ACL is created
The <rules> are specified per user, per group, using an effective rights mask or for users who are not members of the user group for an object, using one of the following:
u:<uid>:<permissions>: sets the ACL for user; <uid> can be user name or numerical UID; <permissions> are any combination of rwx
g:<gid>:<permissions>: sets the ACL for group; <gid> can be group name or numerical GID; <permissions> are any combination of rwx
m:<permissions>: sets the effective rights mask on the object; <permissions> are any combination of rwx
o:<permissions>: sets the ACL for users who are not members of the object group; <permissions> are any combination of rwx
The effective rights mask is a sum of all permissions of the object group owner and all ACLs set on the object. It represents the actual rights granted to all ACL users and groups on the object and limits their access to the level it specifies. If a user has read and write permission through an ACL but the mask is set to read, the more restrictive permission (read) is in effect. The effective mask does not apply to file owner or file group.
Numerical UID or GID can be specified for a non-existing user or group, respectively. If the actual user or group name is specified, they must exist on the system, otherwise the setfacl command exits with an error.
To specify multiple ACLs on the same line, separate them by commas. Blank spaces are ignored:
setfacl -m u:<uid>:rw,g:<gid>:rx, u:<uid>:r /dir/file
To remove an ACL entry for user, use the -x command option and do not specify any permissions:
setfacl -x u:<uid> /dir/file
To set the default ACL, prefix the rule with a d:
setfacl -m d:g:<gid>:rx /dir
ACL examples
To grant the user carlos read, write, and execute rights on all files in the /data/docs directory, run:
setfacl -R -m u:carlos:rw /data/docs
(i) Use the -R command option to recursively set ACL on all files in /data/docs directory.
To check permissions for the /data/docs directory, run:
ls -dl /data/docs drwxrwxr-x+ 5 jerry black 4096 Nov 1 19:57 /data/docs
To check modified ACL information for the /data/docs directory, run:
getfacl /data/docs getfacl: Removing leading '/' from absolute path names user::rwx user:carlos:rwx group::r-x mask::rwx other::r-x
Both of the above commands now produce a different output than previously.
The plus sign next to permission bits after the ls command shows that the ACL is now set on the object. Likewise, the getfacl output has two additional entries:
user:carlos:rwxindicates the additional user with the access rights on the objectmask::rwxdenotes the effective rights on the object
The setfacl command also accepts input from text files. This is useful if identical long rules must be set for large number of objects. To accomplish this, create a plain text file (rules.txt in the next example) with a rule per line and use the -M command option to set ACL on all html files in a directory /dir:
setfacl -M rules.txt /dir/*.html
The format of the rules.txt file is the same as an output of the getfacl command with the --omit-header option:
getfacl --omit-header /data/etc/conf/script1.cfg user::rw- user:jerry:rw- group::r-- group:black:r-x mask::rwx other::r--
This is very useful if the same ACL must be applied to some other files. You can create the rules.txt file by simply redirecting the output of the getfacl command:
getfacl --omit-header /data/etc/conf/script1.cfg > rules.txt cat rules.txt user::rw- user:jerry:rw- roup::r-- group:black:r-x mask::rwx other::r--
Copying And Archiving ACLs
Common file utilities mv and cp on Fedora support ACLs. Archiving tools such as tar and dump do not have support for ACLs and the star utility should be used to preserve ACLs while archiving files.
Copying And Moving ACLs
To copy the file or directory while preserving ACLs, use the -p or -a command option:
cp -p /dir1/file1 /dirx/file2
/dirx directory must reside on a partition mounted with the acl option to copy the ACL of file1 to file2.cp -a /dir1/dir2 /dirx/dir3
/dirx directory must reside on a partition mounted with the acl option to copy the ACLs of dir2 to dir3.The mv command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs.
Archiving ACLs
To archive the files or directories while preserving ACLs, use the star command with the -acl option:
star -c -acl file=archive.star /data
This creates the backup.star archive of /data directory with preserved ACLs.
To restore the star archive and ACLs, run star with the -acl command option:
star -x -acl file=backup.star
This extracts the backup.star archive into current directory with preserved ACLs. The target filesystem being extracted to must support ACLs for this to work.
Additional Information
Related web sites
ACLs web site: [1]
Related manuals
For more information on ACLs and associated utilities, read the following manual pages:
man aclman getfaclman setfaclman star
