Linux.com

mstfysn

mstfysn

  • Linux.com Member
  • Posts: 1
  • Member Since: 13 Sep 12
  • Last Logged In: 13 Sep 12

Latest Posts

Posted by
Topic
Post Preview
Posted
  • mstfysn
    Setting Linux Access ACLs
    1.1. Setting Access ACLs:- The filesystem moust be mounted with acl option by the command for example:- mount -o remount,acl /mount_point and the reconfigure this option in the /etc/fstab file to save the changes during the booting of the operating system. There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional. ACLs can be configured: 1. Per user 2. Per group 3. Via the effective rights mask 4. For users not in the user group for the file The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory: setfacl -m Rules () must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas. u:: Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system. g:: Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system. m: Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries. o: Sets the access ACL for users other than the ones in the group for the file. White space is ignored. Permissions () must be a combination of the characters r, w, and x for read, write, and execute. If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified. For example, to give read and write permissions to user andrius: setfacl -m u:andrius:rw /project/somefile To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions: setfacl -x For example, to remove all permissions from the user with UID 500: setfacl -x u:500 /project/somefile 1.2. Setting Default ACLs To set a default ACL, add d: before the rule and specify a directory instead of a file name. For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it): setfacl -m d:o:rx /share 13.4. Retrieving ACLs To determine the existing ACLs for a file or directory, use the getfacl command: getfacl It returns output similar to the following: # file: file # owner: andrius # group: andrius user::rw- user:smoore:r-- group::r-- mask::r-- other::r-- If a directory is specified, and it has a default ACL, the default ACL is also displayed such as: # file: file # owner: andrius # group: andrius user::rw- user:smoore:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:andrius:rwx default:group::r-x default:mask::rwx default:other::r-x 1.3. Archiving File Systems With ACLs Warning The tar and dump commands do not backup ACLs. The star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Table 13.1, “Command Line Options for star” for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility. Option Description -c Creates an archive file. -n Do not extract the files; use in conjunction with -x to show what extracting the files does. -r Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name. -t Displays the contents of the archive file. -u Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace. -x Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted. -help Displays the most important options. -xhelp Displays the least important options. -/ Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted. -acl When creating or extracting, archive or restore any ACLs associated with the files and directories.
    Link to this post 13 Sep 12

    1.1. Setting Access ACLs:-

    The filesystem moust be mounted with acl option by the command for example:-
    mount -o remount,acl /mount_point
    and the reconfigure this option in the /etc/fstab file to save the changes during the booting of the operating system.

    There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.
    ACLs can be configured:
    1. Per user
    2. Per group
    3. Via the effective rights mask
    4. For users not in the user group for the file

    The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
    setfacl -m <rules><files>

    Rules (<rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
    u:<uid>:<perms>
    Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.

    g:<gid>:<perms>
    Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.

    m:<perms>
    Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.

    o:<perms>
    Sets the access ACL for users other than the ones in the group for the file.
    White space is ignored. Permissions (<perms>) must be a combination of the characters r, w, and x for read, write, and execute.

    If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
    For example, to give read and write permissions to user andrius:
    setfacl -m u:andrius:rw /project/somefile

    To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:
    setfacl -x <rules><files>

    For example, to remove all permissions from the user with UID 500:
    setfacl -x u:500 /project/somefile

    1.2. Setting Default ACLs
    To set a default ACL, add d: before the rule and specify a directory instead of a file name.
    For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
    setfacl -m d:o:rx /share

    13.4. Retrieving ACLs
    To determine the existing ACLs for a file or directory, use the getfacl command:
    getfacl <filename>

    It returns output similar to the following:
    # file: file
    # owner: andrius
    # group: andrius
    user::rw-
    user:smoore:r--
    group::r--
    mask::r--
    other::r--
    If a directory is specified, and it has a default ACL, the default ACL is also displayed such as:
    # file: file
    # owner: andrius
    # group: andrius
    user::rw-
    user:smoore:r--
    group::r--
    mask::r--
    other::r--
    default:user::rwx
    default:user:andrius:rwx
    default:group::r-x
    default:mask::rwx
    default:other::r-x

    1.3. Archiving File Systems With ACLs
    Warning
    The tar and dump commands do not backup ACLs.
    The star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Table 13.1, “Command Line Options for star” for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility.
    Option Description
    -c Creates an archive file.
    -n Do not extract the files; use in conjunction with -x to show what extracting the files does.
    -r Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name.
    -t Displays the contents of the archive file.
    -u Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace.
    -x Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted.
    -help Displays the most important options.
    -xhelp Displays the least important options.
    -/ Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted.
    -acl When creating or extracting, archive or restore any ACLs associated with the files and directories.


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board