(→Access Control Lists: -removed duplicated section) |
m (Docs/Drafts/AGBeta/ACLs moved to Administration Guide Draft/ACLs: wiki cleanup) |
||
(No difference)
|
Revision as of 02:55, 5 March 2009
Access Control Lists
What Are ACLs And Their Purpose
Access control lists (ACLs) are a kernel-level feature of Fedora's default ext3 file system. ACLs provide an important level of flexibility for managing file permissions, that is, who or what has the rights to read, write, or execute a file.
Traditional Linux/UNIX file permissions (read, write, execute) are defined for three classes of users: the file owner, the file group, and others. This means that when a group is granted access to a particular shared resource (document, directory, printer, etc.), the same level of access is granted to all members of a group.
In practice, it is often required that some of the group members have limited or no access to the shared resource, or that the access is granted to other users who are not members of the particular group. In a non-ACL file permissions scheme this requires creation of numerous new groups, which quickly becomes difficult to manage, especially on large systems.
Fedora provides ACL support for ext3, NFS-exported ext3, and ext3 file systems accessed via Samba (which provides CIFS/Microsoft Windows file sharing.)
The most common file manipulation utilities, such as mv
, cp
, and ls
also support ACLs. To preserve ACLs when archiving files, the star
utility should be used instead of tar
, which does not support ACLs.
There are two types of ACLs:
- Access ACL - ACL that controls the level of access to the object (file or directory)
- Default ACL - ACL associated with a directory. If set, all objects within a directory inherit the default ACL as their initial access ACL
Each ACL is composed of a set of ACL entries. Each ACL entry specifies access permissions to the object as a combination of read, write, and execute permissions for an individual user or a group.
Using Access Control Lists
There are a few prerequisites to using ACLs:
- File system must support ACLs
- File system must be mounted with
acl
option - RPM package
acl
must be installed
Enabling ACLs on a file system
On a default Fedora installation, file systems are mounted without ACL support. To enable ACLs for a local file system, edit the /etc/fstab
file and add the acl
option for the desired partition. The entry might look similar to:
LABEL=/data /data ext3 rw,acl 1 2
This entry ensures that ACL support is preserved after reboot but reboot is not required to enable ACLs. To accomplish this on an already mounted /data
partition run:
su -c '/bin/mount -o remount /data'
Additional parameters are not required when mounting ACL enabled remote Samba shares. If the client accessing an NFS share can read ACLs and the NFS share is exported from an ACL enabled file system, ACLs are utilized by the client.
Setting ACLs and retrieving ACL information
ACLs are controlled by two utilities:
getfacl
is used to retrieve ACL informationsetfacl
is used to set or modify ACL entry
To view ACL information on an object (directory docs
) in the /data
directory, run:
getfacl /data/docs
The output shows ACL information associated with the docs
directory:
getfacl: Removing leading '/' from absolute path names user::rwx group::r-x other::r-x
Since ACLs are not yet set, this information corresponds to common permissions on the /data/docs
directory:
ls -dl /data/docs drwxr-xr-x 5 jerry black 4096 Nov 1 19:57 /data/docs
To set an ACL for an object, run setfacl
:
setfacl -m <rules> <object>
The command option -m
is used to create or modify an ACL entry. For an object without previously set ACLs, a new ACL entry is created. If an object already has an ACL entry, option -m
modifies the existing ACL entry by appending the new ACL entry to the object's ACL.
The <object>
is a file or a directory on which an ACL is created
The <rules>
are specified per user, per group, using an effective rights mask or for users who are not members of the user group for an object, using one of the following:
u:<uid>:<permissions>
: sets the ACL for user; <uid>
can be user name or numerical UID; <permissions>
are any combination of rwx
g:<gid>:<permissions>
: sets the ACL for group; <gid>
can be group name or numerical GID; <permissions>
are any combination of rwx
m:<permissions>
: sets the effective rights mask on the object; <permissions>
are any combination of rwx
o:<permissions>
: sets the ACL for users who are not members of the object group; <permissions>
are any combination of rwx
The effective rights mask is a sum of all permissions of the object group owner and all ACLs set on the object. It represents the actual rights granted to all ACL users and groups on the object and limits their access to the level it specifies. If a user has read and write permission through an ACL but the mask is set to read, the more restrictive permission (read) is in effect. The effective mask does not apply to file owner or file group.
Numerical UID or GID can be specified for a non-existing user or group, respectively. If the actual user or group name is specified, they must exist on the system, otherwise the setfacl
command exits with an error.
To specify multiple ACLs on the same line, separate them by commas. Blank spaces are ignored:
setfacl -m u:<uid>:rw,g:<gid>:rx, u:<uid>:r /dir/file
To remove an ACL entry for user, use the -x
command option and do not specify any permissions:
setfacl -x u:<uid> /dir/file
To set the default ACL, prefix the rule with a d
:
setfacl -m d:g:<gid>:rx /dir
ACL examples
To grant the user carlos read, write, and execute rights on all files in the /data/docs
directory, run:
setfacl -R -m u:carlos:rw /data/docs
(i) Use the -R
command option to recursively set ACL on all files in /data/docs
directory.
To check permissions for the /data/docs
directory, run:
ls -dl /data/docs drwxrwxr-x+ 5 jerry black 4096 Nov 1 19:57 /data/docs
To check modified ACL information for the /data/docs
directory, run:
getfacl /data/docs getfacl: Removing leading '/' from absolute path names user::rwx user:carlos:rwx group::r-x mask::rwx other::r-x
Both of the above commands now produce a different output than previously.
The plus sign next to permission bits after the ls
command shows that the ACL is now set on the object. Likewise, the getfacl
output has two additional entries:
user:carlos:rwx
indicates the additional user with the access rights on the objectmask::rwx
denotes the effective rights on the object
The setfacl
command also accepts input from text files. This is useful if identical long rules must be set for large number of objects. To accomplish this, create a plain text file (rules.txt
in the next example) with a rule per line and use the -M
command option to set ACL on all html files in a directory /dir
:
setfacl -M rules.txt /dir/*.html
The format of the rules.txt
file is the same as an output of the getfacl
command with the --omit-header
option:
getfacl --omit-header /data/etc/conf/script1.cfg user::rw- user:jerry:rw- group::r-- group:black:r-x mask::rwx other::r--
This is very useful if the same ACL must be applied to some other files. You can create the rules.txt
file by simply redirecting the output of the getfacl
command:
getfacl --omit-header /data/etc/conf/script1.cfg > rules.txt cat rules.txt user::rw- user:jerry:rw- roup::r-- group:black:r-x mask::rwx other::r--
Copying And Archiving ACLs
Common file utilities mv
and cp
on Fedora support ACLs. Archiving tools such as tar
and dump
do not have support for ACLs and the star
utility should be used to preserve ACLs while archiving files.
Copying And Moving ACLs
To copy the file or directory while preserving ACLs, use the -p
or -a
command option:
cp -p /dir1/file1 /dirx/file2
cp -a /dir1/dir2 /dirx/dir3
The mv
command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs.
Archiving ACLs
To archive the files or directories while preserving ACLs, use the star
command with the -acl
option:
star -c -acl file=archive.star /data
This creates the backup.star archive of /data
directory with preserved ACLs.
To restore the star archive and ACLs, run star
with the -acl
command option:
star -x -acl file=backup.star
This extracts the backup.star
archive into current directory with preserved ACLs. The target filesystem being extracted to must support ACLs for this to work.
Additional Information
Related web sites
ACLs web site: [1]
Related manuals
For more information on ACLs and associated utilities, read the following manual pages:
man acl
man getfacl
man setfacl
man star