Monday, June 16, 2008

Access Control Lists (ACL's)

by Default only root user can assign permissions on Directories and Folders.
however if a standard user wants to allow access to a folder to one of his colleagues
you must use ACL Access control list

first off acl needs to be instated on the mounted file system that you want to allow users to manage their own permissions on, to do this edit your /etc/fstab file and make sure that that you add the acl option to the mount so that it looks something like this
/dev/hda /home ext3 defaults,acl 1 2

save your fstab file and force the Kernel to re-read its contents by typing
mount -a

this will read in the contents of your fstab file and remount all the file systems with the the new settings.

then for a standard user to give access to a certain folder they must use the setfacl command
so to give user2 read write access to /home/user1/projects folder user 1 would type
setfacl -m u:user2:rw /home/user1/projects

the m stands for modify. to remove permissions you would replace the m with an x and then simply state the folder you wanted permissions removed from
eg setfacl -x /home/user1/projects
you could set permissions to individual files as well not only directories
eg setfacl -m u:user2:rw /home/user1/projects/filename
you can set permissions using rwx notation as well for example
To deny a user acces to a file type the following
setfacl -m u:user2:---/home/user1/projects/filename
to give him read access only you can type the following
setfacl -m u:user2:r--/home/user/projects/filename

if you want to see what permissions exist on a certain folder
type getfacl /home/user1/projects

you should get a response similar to the following were you can see the added permissions for user 2
# file: home/user1/project
# owner: user1
# group: user1
user::rwx
user:user2:rw-
group::r-x
mask::rwx
other::r-x

To do the same to a samba share so that Windows users are controlled by the ACL
do the following

Add ACL support to a Partition:

1. vim /etc/samba/smb.conf
In share you want ACL support add: nt acl support = yes

2. To add access to a group to a folder:
setfacl -m g:GROUPNAME:rwx FOLDERPATH

OR To add access to a user to a folder:
setfacl -m u:USERNAME:rwx FOLDERPATH

3. Remove Permissions for others:
chmod 770 FOLDERPATH

4. Check permissions:
getfacl FOLDERPATH

5. Remove ACL:
setfacl -d acl-entry
ex: setfacl -d g:GROUPNAME FOLDERPATH





No comments: