Tuesday 3 August 2010

Access Control Lists and Ubuntu

Basic UNIX permissions: Owner, Group, Others and each with Read, Write, Execute, plus a handful of special permissions (setuid, sticky bits, etc). Covers 90% maybe say 99.9%, but not 100%. Sometimes, you really just want to grant more than just the "owner", "group", "everyone" permissions so you need Access Control Lists (ACL).

To get ACL support, your file system must support ACLs. If you're using a file system created this century, it probably supports ACLs. ACL support is usually an option for the file system which can either be set to default on (with tune2fs for example) or can be turned on at mount time with the "acl" option (e.g. in fstab). Some distros simply default the file systems to have acl on (Fedora, RedHat EL) and others don't (Debian, Ubuntu).

To view or manipluate ACLs you also need acl tools: getfacl and setfacl. Distros usually have a package called "acl" available which provides these utilities and with the distros that have ACL defaulting on for file systems (RedHat etc), the package is pre-installed.

First thing you'll want to know is how to read an ACL. The utility "getfacl" (Get File ACL) can show you the ACL. This is what a file looks like that doesn't have an ACL:

getfacl torrentflux 
# file: torrentflux
# owner: www-data
# group: www-data
# flags: -s-

For files that have ACLs, you will see they have a "+" in their permissions list when using your regular ls -l and then you can view the ACL again with getfacl:

$ ls -l
drwxr-s---+ 7 www-data www-data 4096 2009-11-21 15:06 torrentflux

$ getfacl torrentflux
# file: torrentflux
# owner: www-data
# group: www-data
# flags: -s-

As you can see, this is the same directory, but rather than granting global read/execute as under UNIX permissions, we've granted instead read/execute to two specific users with ACLs. These ACLs were created with setfacl (Set File ACL):

$ setfacl -m user:archangel:rx torrentflux
$ setfacl -m user:aandrea:rx torrentflux

If you get some error trying to use "setfacl", it's because the file system does not have the ACL option turned on. Add "acl" to the mount point in fstab and then remount the file system.

The last handy thing you may want to know is that getfacl and setfacl can be used to dump and restore ACLs. With getfacl, you can recursively pull all ACLs and skip files that have only base ACLs (UNIX permissions only). This dump can then be re-applied with setfacl. You will find this useful as not all tools that handle files handle ACLs - specifically tar.

That's Access Control Lists for you. There's no reason not to use them - they're widely supported and very useful.

- Arch

Sunday 1 August 2010

DSL Speeds

Just came across this article on the BBC:

"The survey found that for DSL services advertised as being "up to" 20Mbps, only 2% of customers got speeds in the range of 14-20Mbps. Of the others, 32% were getting a 8-14Mbps service and 65%, 8Mbps or less."

2% of users get 75% (or better) of advertised speeds? That's pretty damned harsh. That's the kind of thing that your customers ought to know up front.

But that's DSL for you. The article gives a fairly good explanation of some of the reasons why DSL sucks. What we need is fiber-to-the-home and none of this DSL crap:


Popular Posts