To get ACL support, your file system must support ACLs. If you're using a file system created this century, it probably supports ACLs. ACL support is usually an option for the file system which can either be set to default on (with tune2fs for example) or can be turned on at mount time with the "acl" option (e.g. in fstab). Some distros simply default the file systems to have acl on (Fedora, RedHat EL) and others don't (Debian, Ubuntu).
To view or manipluate ACLs you also need acl tools: getfacl and setfacl. Distros usually have a package called "acl" available which provides these utilities and with the distros that have ACL defaulting on for file systems (RedHat etc), the package is pre-installed.
First thing you'll want to know is how to read an ACL. The utility "getfacl" (Get File ACL) can show you the ACL. This is what a file looks like that doesn't have an ACL:
getfacl torrentflux
# file: torrentflux
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
group::r-x
other::r-x
For files that have ACLs, you will see they have a "+" in their permissions list when using your regular ls -l and then you can view the ACL again with getfacl:
$ ls -l
drwxr-s---+ 7 www-data www-data 4096 2009-11-21 15:06 torrentflux
$ getfacl torrentflux
# file: torrentflux
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
user:archangel:r-x
user:aandrea:r-x
group::r-x
mask::r-x
other::---
As you can see, this is the same directory, but rather than granting global read/execute as under UNIX permissions, we've granted instead read/execute to two specific users with ACLs. These ACLs were created with setfacl (Set File ACL):
$ setfacl -m user:archangel:rx torrentflux
$ setfacl -m user:aandrea:rx torrentflux
If you get some error trying to use "setfacl", it's because the file system does not have the ACL option turned on. Add "acl" to the mount point in fstab and then remount the file system.
The last handy thing you may want to know is that getfacl and setfacl can be used to dump and restore ACLs. With getfacl, you can recursively pull all ACLs and skip files that have only base ACLs (UNIX permissions only). This dump can then be re-applied with setfacl. You will find this useful as not all tools that handle files handle ACLs - specifically tar.
That's Access Control Lists for you. There's no reason not to use them - they're widely supported and very useful.
Enjoy!
- Arch
No comments:
Post a Comment