Beyond 755

By  

In the olden days of Unix, each file had an owner, a group, and a notion of "everybody else". These entities could be granted read, write and/or execute permission -- and that was as far as it went. If you wanted to give an additional person access to a file, you either had to add him to the group (hopefully the group already had read access) or open up read access to the world. The introduction of the setfacl command changed all this. Now we can give an individual or a secondary group access to a file without changing the file's basic permissions. But how many of us do? And how much are the setfacl and getfacl commands still something of an oddity in the Unix world?

To begin with, there's the question of pronunciation. It appears that the general consensus is to say "get fackle" and "set fackle", though I occassionally run into someone who insists on saying "get f ACL" and "set f ACL". I prefer the fewer syllable version, though I still cringe when someone says "vee" in place of "vee eye" for vi.

The "acl" part of these two commands really does, of course, stand for "ACL" -- an acronym that stands for "access control list" and the commands' basic function is to provide extended access capabilities to files on Unix systems.

The syntax for the setfacl command looks like this:

setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...

That's a large collection of options and a lot to swallow. Here are some of my favorites from the first set:

-b I like to call this one "back to basics" since it removes all extended ACL attributes from the file
-R Add or change ACL settings recursively

The second [{-m|-x} acl_spec] part of the syntax tells us that we can use the -m (modify) and -x (remove) options to change individual settings on files.

We can use the -m to give another user full access to a file without adding him to a group that would give him more privilege than he needs:

setfacl -m u:jdoe:rwx refdata

We will then be able to see that extended access permissions are in use by noticing the + sign at the end of the permissions matrix in a long listing:

$ ls -l x
-rw-rw-r--+ 1 jwoodall devstaff 93873 May 30 11:05 refdata

If we want to see what the extended permissions are, however, we have to use the getfacl command.

$ getfacl refdata
# file: refdata
# owner: jwoodall
# group: devstaff
user::rw-
user:oracle:rw-
group::rw-
mask::rw-
other::r--

Extended permissions can be granted on direcories as well as files as shown in this example in which we are granting full access to root's home to jwoodall and read and execute to mnutz.

# setfacl -m u:jwoodall:rwx /root
# setfacl -m u:mnutz:rx /root
# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::rwx
user:mnutz:r-x
user:jwoodall:rwx
group::r-x
mask::rwx
other::---

And then we can revert back to the original settings like this:

# setfacl -b /root
[root@ann-aveksa-1 admin]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::rwx
group::r-x
other::---

If we want to grant access recursively, we just had to prepend our users and permission settings with a -R.

# setfacl -R -m u:jwoodall:rwx /root
# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::rwx
user:jwoodall:rwx
group::r-x
mask::rwx
other::---

Checking on the files within /root, we can see that the extended permissions marker has been added to all the files in /root except, of course, for the symbolic link.

# ls -l /root
total 148
-rw-rwx---+ 1 root root  1641 Sep 28  2011 anaconda-ks.cfg
lrwxrwxrwx  1 root root    32 Feb  7  2012 delldset.bin -> /tmp/delldset.bin
-rw-rwxr--+ 1 root root   567 Sep 28 12:00 group
-rw-rwxr--+ 1 root root 50032 Sep 28  2011 install.log
...

The primary benefit of setfacl and getfacl is that they allow you to grant privileges very discretely. You can set permissions on files and directories to match your needs and not grant any more access than is absolutely required.

While this is a bit more trouble than working with the standard permissions, the additional security and fine-tuned access rights will often prove to be worth the trouble.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question