top curve

Access Control Lists


Can I get a Unix group set up with a few of my classmates in it for a group project?


As a rule, we only create Unix groups for whole classes and whole research groups and the like... it would just be overwhelming to try to manage a whole bunch of two-person groups.
There is, however, a much more flexible solution that you can manage yourself. Our filesystems support ACLs (Access Control Lists), which you can manage with the commands "getfacl" and "setfacl" (see their manpages on one of the departmental Solaris boxes). What ACLs allow you to do is specify arbitrarily-fine-grained access control on a per-file or per-directory basis. So you could give, say, Jim and Bob "rwx" access to the file, but deny access to everybody else without Jim and Bob being in any Unix groups together.
Here is an example:

setfacl -r -m user:mcr2z:rwx tempfile setfacl -r -m user:david:rwx tempfile
This gives two different users full control of the 'tempfile' file. The -m option means to modify. Using a -s option required complete ACL specifications (easier to use -m). The -r option recalculates the ACL mask for the file(s).
The 'getfacl tempfile' command produces:

# file: tempfile
# owner: dl4g
# group: staff
user:david:rwx #effective:rwx
user:mcr2z:rwx #effective:rwx
group::r-- #effective:r--
Use on directories with -R to recurse. Reading the man pages may make this seem more complicated, but this simple example and others work perfectly.
Note that if you afterward do a chmod, the ACLs will be discarded. So set the basic permissions you want with chmod first, then fine-tune them with setfacl.