Filesystem options and commands
First check to make sure the file system is mounted with acl settings
cat /proc/mounts |grep acl
/dev/sda1 / ext3 rw,noatime,relatime,errors=remount-ro,acl,data=ordered 0 0
If not update /etc/fstab and add 'acl' to the options section and remount the file system
getfacl, setfacl, chacl are the two main commands. chacl is available for IRIX compatibility.
Use Cases
Grant 2 users permissions to the same directory and files under it
Let's say we want to grant user john and mary permissions to folder /var/www/mysite.com
We can start by creating the directory. At this point we can leave it owned by root as the ACLs will help here.
ls -ld /var/www/mysite.com/ drwxr-xr-x 2 root root 4096 Feb 11 15:21 /var/www/mysite.com/
The first 2 commands grant users john and mary permissions.
The second sets the default acl. This causes the acls to be applied with inhertiance set. So this makes good sense in a multi user multi edit environment. The next arguments between the : are the username and the permissions
setfacl -m john:rwx mysite.com setfacl -m mary:rwx mysite.com setfacl -m default:john:rwx mysite.com setfacl -m default:mary:rwx mysite.com
# file: mysite.com # owner: root # group: root user::rwx user:john:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:john:rwx default:user:mary:rwx default:group::r-x default:mask::rwx default:other::r-x
Now create a file by logging in a user john.
john@slice01$ echo "john" > file1 john@slice01$ ls -l file1 -rw-rw-r--+ 1 john john 4 Feb 11 15:31 file1 john@slice01$ getfacl file1 # file: file1 # owner: john # group: john user::rw- user:john:rwx #effective:rw- user:mary:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r--
Then create a directory
john@slice01$ mkdir john john@slice01$ getfacl john # file: john # owner: john # group: john user::rwx user:john:rwx user:mary:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:john:rwx default:user:mary:rwx default:group::r-x default:mask::rwx default:other::r-x
As you can see mary is there in the ACLs also
You can test it by logging in as user mary & editing files created by john.
mary@slice01$ echo mary >> file1 mary@slice01$ cat file1 john mary mary@slice01$ cd john/ mary@slice01 $ echo mary > file2 mary@slice01 $ getfacl file2 # file: file2 # owner: mary # group: mary user::rw- user:john:rwx #effective:rw- user:mary:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r--
Grant 2 users permissions to the same directory and files under it except to 2 individual directories
Lets say we want john and mary to have permissions under /var/www/mysite.com/ and all files but still have individual directories/var/www/mysite.com/john & /var/www/mysite.com/mary
getfacl mary # file: mary # owner: mary # group: mary user::rwx user:john:rwx user:mary:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:john:rwx default:user:mary:rwx default:group::r-x default:mask::rwx default:other::r-x
The -k switch removes the default acls
setfacl -k mary getfacl mary # file: mary # owner: mary # group: mary user::rwx user:john:rwx user:mary:rwx group::r-x mask::rwx other::r-x
Then remove john from it also
setfacl -x john mary getfacl mary # file: mary # owner: mary # group: mary user::rwx user:mary:rwx group::r-x mask::rwx other::r-x
Repeat the same with other folder
No comments:
Post a Comment