Monday, July 13, 2009

ACL - Access Control List

ACL
entry-type:[UID or GID]:perm

Introducing ACL Commands

getfacl [-a] [-d] filename(s) -- Displays ACL entries for files
-a -- Displays the filename, file owner, file group, and ACL entries for the specified file
-d -- Displays the filename, file owner, file group, and default ACL entries
setfacl –m acl_entries filename -- Creats or modify ACL entries on files
setfacl –s acl_entries filename -- Substitute new ACL entries for old ACL entries
setfacl –d acl_entries filename -- Deletes one or more ACL entries on files
setfacl –f acl_file filename -- Specifies an ACL configuration file that contain ACL entries
to set on other files
setfacl –r filename -- Recalculate the ACL mask baed on the ACL entries. When used with
–m or –s option
$ ls –l
_rw_r__r__+ 1 userc staf 0 Jan 2 13:40 file2 -- A plus sign appears for files
contains ACL permission

There are no effective permission listed for a file’s owner or “others’ users. However, the file’s group and any other specific users or groups present in the ACL list have effective permissions. When no ACL mask is specifically set o a file or directory, the ACL mask has the same permissions as the group permissions for that file or directory.

$ getfacl file1 -- No ACL entries present
file : file1
owner : userc
group : sysadmin
user::rw_
group::r__ # effective:r__
mask:r__
other:r__

$ getfacl file2 -- Custom ACLentry present
file : file2
owner : userc
group : sysadmin
user::rw_
user::usera:rwx # effective:r__
group::r__ # effective:r__
mask:r__
other:r__

The effective permission shows which permissions are allowed. When you compute the intersection (a Boolean logical AND operation) of the ACL entry and the ACL mask.

$ setfacl –m u:userb:7 file2 -- Set special permission to userb(username)
$ getfacl file2
file : file2
owner : userc
group : sysadmin
user::rw_
user::usera:rwx # effective:r__
user:userb:rwx # effective:r__
group::r__ # effective:r__
mask:r__
other:r__

$ setfacl –d u:usera file2 -- Removing special permissions
$ getfacl file2
file : file2
owner : userc
group : sysadmin
user::rw_
user:userb:rwx # effective:r__
group::r__ # effective:r__
mask:r__
other:r__

setfacl –s u::perm,g::perm,o:perm,m:perm,[u:UID:perm],[g:GID:perm] filename
$ setfacl –s u::rwx,g::rw_,o:r__,m:rw_,u:usera:rwx file1
$ getfacl file1
file : file1
owner : userc
group : sysadmin
user::rwx
user:usera:rwx # effective:rw_
group::rw_ # effective:rw_
mask:rw_
other:r__

$ setfacl –s u::7,g::6,0:4,m:6,u:usera:7 file2

$ setfacl –r –m u:usera:7 file1 -- Change the umask value as well as to the
user(Recalculating an ACL mask)
$ getfacl file1
file : file1
owner : userc
group : sysadmin
user::rwx
user:usera:rwx # effective:rwx
group::rw_
mask:rwx
other:r__

getfacl filename1 | setfacl –f – filename2
$ getfacl file1 | setfacl –f – file3 -- Copying an ACL List

You can set default ACL entries only on directories. You must set default ACL entries for the user, group, other, and ACL mask before you set a default ACL entry for an additional user of group.

$ pwd
/export/home/userc
$ mkdir dir1
drwxr_xr_x 2 userc sysadmin 512 Apr 29 17:11 dir1
$ getfacl dir1
# file:dir1
# owner:userc
# group:sysadmin
user::rwx
group::r_x # effective:r_x
mask:r_x
other:r_x

$ setfacl –m d:u::rwx,d:g::r_x,d:o:r_x,d:m:r_x dir1
$ setfacl –m default:user:usera:rwx dir1
$ getfacl dir1
# file:dir1
# owner:userc
# group:sysadmin
user::rwx
group::r_x # effective:r_x
mask:r_x
other:r_x
default:user:rwx
default:user:usera:rwx
default:group:r_x
default:mask:r_x
default:other:r_x

Effect of Default ACLs on New Subdirectories

When a directory contains a default ACL, the permissions granted to the user, group, and other categories for the directory represent the intersection of mode 777, which is the UNIX default for directories without umask influence.

When a subdirectory/file created, the permissions on the newly created subdirectory/file are generated according to the intersection between the default ACL entries and the permissions set initially during creation.

$ mkdir dir1/subdir1
$ ls –l dir1
drwxr_xr_x+ 2 userc sysadmin 512 Apr 30 08:01 subdir1
$ getfacl dir1/subdir1
$ getfacl dir1/subdir1
# file:dir1/subdir1
# owner:userc
# group:sysadmin
user::rwx
group::r_x # effective:r_x
mask:r_x
other:r_x
default:user:rwx
default:user:usera:rwx
default:group:r_x
default:mask:r_x
default:other:r_x

If default ACL entries changed for the dir1 it won’t affect the ACL of dir1/subdir1. But if we create new subdirectory the new ACL of the dir1 will get inherited.

$ setfacl –m d:group::rwx,d:group::rws,d:other:rwx,d:mask:rwx dir1
$ mkdir dir1/subdir2
$ getfacl dir1/subdir2
user::rwx
group::rwx # effective:rwx
mask:rwx
other:rwx
default:user::rwx
default:user:usera:rwx
default:group::rwx
default:mask:rwx
default:other:rwx
$ cd dir1/subdir2
$ touch filea
$ ls –l
_rw_rw_rw_+ 1 userc sysadmin 0 Apr 30 13:34 filea
$ getfacl filea
user::rw_
user:usera:rwx # effective:rw_
group::rw_ # effective:rw_
mask:rw_
other:rw_

The permission granted to the user, group, and other categories for filea represents the intersection of mode 666(default for files without umask influence) with the default entries associated with the directory are set to rwx, the example of intersection is clear.

The mask value doesn’t exceed the permissions assigned to the group. Eventhough the /dir1/subdir2 directory lists rwx as the default mask value inherit only upto rw_. The entry for usera was applied as a standard ACL entry and not as a default entry, because only directory replicate default entries.

No comments:

Custom Search

Feeds from my other blog

Samsung S2 Brand new for 25900 White piece sealed box

For Sale, Mobile Phones - Accessories in India, Andhra Pradesh, Hyderabad. Date September 17

For Sale in Hyderabad