Saturday, 19 November 2005

Get exact control over your files and directories using ACLs in Linux

If you are a windows user then you must be aware of the fine grained control over who can read, write and execute files residing in NTFS file system. And Unices like FreeBSD and Solaris has had it since a long time. On the other hand, Linux by default, has basic control of read, write and execute access rights for files and directories. But if you are using Linux kernel 2.6, you can also have fine-grained control over files and directories residing on ext2/3, XFS, JFS and ReiserFS file systems by enabling ACLs. ACL stands for Access Control Lists and is enabled by appending the word 'acl' in the relevant section of your /etc/fstab file. For example, if I have my home directory residing on a separate ext3 partition, then I can enable acls as follows for the /home partition:
# FILE: /etc/fstab
...
LABEL=/home /home ext3 defaults,acl 0 2
...
Note the word 'acl' appended to the above line of code. Now one has to let the kernel know about the change and so have to remount the /home partition. This can be done by using the mount command:
# mount -o remount /home
Now I can start assigning per-user rights to each and every file on the /home partition using the getfacl and setfacl command.
For example, I have three users on my system saj, jake and leander. And I have a file called tester.txt in my home directory (/home/ravi), which I want to share with these three users. User saj should have only read-only access where as jake and leander should have both read and write access to the file (/home/ravi/tester.txt). To achieve this, I will use the setfacl command as follows:
$ setfacl -m u:saj:r--,u:leander,jake:rw- tester.txt
The above command can be read as follows: Modify (-m) the access control list on the file tester.txt by giving read-only access (r--) to user (u) saj and read-write access (rw-) to the users (u) leander and jake.

Conversely, you can create a group by a name say 'mygroup' and add the users leander and jake to mygroup and set the acl for the file as follows:
$ setfacl -m g:mygroup:rw- /home/ravi/tester.txt
getfacl command on the other hand, is used to view the access-control rights for a particular directory or file.
$ getfacl /home/ravi/tester.txt
# file: tester.txt
# owner: ravi
# group: ravi
user::rw-
user:jake:rw-
user:leander:rw-
user:saj:r--
group::rw-
mask::rw-
other::r--
And if you want to remove acl rights to a file for a particular user, you use the setfacl command with the -x option as follows:
$ setfacl -x u:saj,u:leander /home/ravi/tester.txt
You can also completely remove the acl from a particular file or directory by using the --remove-all option:
$ setfacl --remove-all /home/ravi/tester.txt 
One another thing, if you check the long listing of the file for which an acl has been set, you can find a plus (+) appended to the rights portion of the listing.
$ ls -l tester.txt
-rw-rw-r--+ 1 ravi ravi 0 Nov 18 18:53 tester.txt
This is verily the tip of the iceberg so to say, of implementing access control lists on Linux. In fact, Van Emery has written an in depth article on Access Control Lists called Using ACLs with Fedora Core 2, which gives new insights in using access control lists to one's advantage in Linux.

No comments:

Post a Comment