Learn to use extended filesystem ACLs
Takeaway: Learn to use the handy filesystem ACLs to extend access controls to files and directories with more flexibility.
ACLs, or Access Control Lists, are available for a variety of Linux filesystems including ext2, ext3, and XFS. With XFS, ACL support is available pretty much "out of the box" and with ext2/ext3, it's available via a kernel patch that most Linux vendors have applied to the binary kernels they provide. In all cases, the SGI acl and attr tools are required; most Linux vendors provide these as well.
Filesystem ACLs are extremely handy in that they allow you to extend access controls to files and directories beyond the simple user/group/other ownership. With extended ACLs, you can assign multiple users, rather than just one, as owners to a certain file.
If the filesystem is XFS, no special steps are required to enable ACL support. If the filesystem is ext2 or ext3, the filesystem will need to be mounted with the "acl" option. This can be done by editing /etc/fstab and changing something like:
/dev/md1 / ext3 defaults 1 1
to:
/dev/md1 / ext3 rw,acl 1 1
Next, you need to remount the filesystem, which can be done either with a reboot or by executing:
# mount -v -o remount /
This will remount the filesystem with the new options specified. You may now begin to specify extended ACLs using the setfacl tool. For instance, suppose you had a file that you wanted to be writable by jim and jane, readable by frank, and not readable by anyone else. This isn't something that can easily be done with standard filesystem permissions. You can, however, accomplish this with setfacl:
# chmod 600 file
# setfacl -m u:jim:rw-,
# setfacl -m u:jane:rw file
# setfacl -m u:frank:r file
The first step sets the permissions to 0600, or read/write by the owner, with no access to the group or "other". The second grants user jim read/write privileges; the third does the same for user jane. The last grants read privileges to frank only. To view the current ACLs on the file, use getfacl file which will produce output like:
# file: file
# owner: jim
# group: jim
user::rw-
user::frank:r--
user::jane:rw-
user::jim:rw-
group::r-x
mask::rw-
other::---
Likewise, by using ls you can see if extended ACLs are active on a file:
# ls -al
-rw-------+ 1 jim jim 993014 May 24 10:32 file
The + character at the end of the permissions string indicates the presence of extended ACLs.
Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
White Papers, Webcasts, and Downloads
- Leveraging SMB ERP for an Economic Recovery ZDNet Times are tough but better days are sure to follow. In the wake of an ... Download Now
- The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
- Email Security and Archiving - Clearer in the Cloud Google The time is NOW for businesses and organizations of all sizes to implement ... Download Now
- Five Steps to Determine When to Virtualize YourServers VMware Thinking of virtualizing the servers at your company? Use this step-by-step guide to determine when's the best time to make your big move. Download Now
- VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the high cost of maintaining or building ever-larger data centers? Get the facts you need to formulate your Virtualization Action Plan. Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
