Access Control Lists

From CS Support Wiki
Revision as of 20:57, 13 July 2005 by Ajb5d (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Question: Can I get a Unix group set up with a few of my classmates in it for a group project?

Answer: As a rule, we only create Unix groups for whole classes and whole research groups and the like... it would just be overwhelming to try to manage a whole bunch of two-person groups.

There is, however, a much more flexible solution that you can manage yourself. Our filesystems support ACL's (Access Control Lists), which you can manage with the commands "getfacl" and "setfacl" (see their manpages on one of the departmental Solaris boxes). What ACL's allow you to do is specify arbitrarily-fine-grained access control on a per-file or per-directory basis. So you could give, say, jim and bob "rwx" access to the file, but deny access to everybody else without jim and bob being in any Unix groups together.

Here's an example:

setfacl -r -m user:mcr2z:rwx tempfile
setfacl -r -m user:david:rwx tempfile

I've given two different users full control of the 'tempfile' file. The -m option means to modify. Using a -s option required complete ACL specifications (easier to use -m). The -r option recalculates the ACL mask for the file(s).

The 'getfacl tempfile' command produces:

# file: tempfile
# owner: dl4g
# group: staff
user:david:rwx #effective:rwx
user:mcr2z:rwx #effective:rwx
group::r-- #effective:r--

Use on directories with -R to recurse. Reading the man pages may make this seem more complicated, but this simple example and others work perfectly.

Note that if you afterward do a chmod, the ACL's will be discarded. So set the basic permissions you want with chmod first, then fine-tune them with setfacl.