Ergon : File access management, ACL

Unix permissions

Unix permissions allow giving different access rights in read, write and/or execution for each of the following categories:

  • The file owner
  • Users belonging to the same Unix group as the file owner
  • All the other users

The Unix permissions may be modified by simply using the chmod command (for more information, see man chmod). Most of the time, the Unix permissions are sufficient. However, by using the ACLs (Access Control Lists), you can control the access to your data more precisely; for example, by giving access to one (and only one) user, no matter from which group.

The ACLs

If you wish to give access permissions to a particular user and/or group, you can define an ACL (Access Control List) for the chosen file or directory. The general syntax is as follows:

  setfacl ACL_OPTIONS repertoire

where ACL_OPTIONS can have one of the following forms:

  • To create or replace an existing ACL:
--set=u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
  • To modify an existing ACL:
-m u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
  • To delete an existing ACL:
-b

For more information, type the command man setfacl.

Important comments:

  • The rwx permissions have the same meaning as the classic Unix rwx permissions.
  • A syntactically valid ACL must contain a minimum of each of the following three fields separated by commas:
    • A field beginning with u (as in user) without mentioning the login: This corresponds to the permissions given to the file or directory owner. For a directory (or an executable file), we advise you to position:
      u::rwx
      and for a file:
      u::rw
    • A field beginning with g (as in group) without mentioning a group. This corresponds to the permissions given to the file owner's group:
      g::[r|-][w|-][x|-]
    • A field beginning with o (as in other) without any mention. This corresponds to the permissions given to users who are not mentioned in sections u and g :
      o::[r|-][w|-][x|-].

If you have only these three fields, it is not advantageous to use the setfacl command as this gives the same permissions as the chmod command. For example, the following setfacl command gives all the permissions to the owner of the mon_repertoire directory and allows members of the owner's group to consult the directory contents (in read only):

setfacl --set=u::rwx,g::r-x,o::--- my_directory

Attention : Access to subdirectories and files contained in mon_repertoire remain controlled by Unix permissions.

  • To enlarge the access permissions, it is necessary to add (in addition to the three fields listed above) at least one of the first two following fields (u, g), and you must also add an m field:
    • A u field with mention of the login, corresponding to the permissions given to a particular user:
      u:login:[r|-][w|-][x|-]
    • A g field with mention of the group, corresponding to the permissions attributed to the entirety of the specified group:
      g:groupe:[r|-][w|-][x|-]
    • It is obligatory to have a field beginning with m (as in mask) which defines the maximum (or exact) permissions of the users concerned by the u:login:… and/or g:group:… fields. It is advised to give the highest level of permissions (m::rwx) to this mask in order to not restrict the permissions given to a login and/or to a group. For more information, see the following section of this document: Dependencies between ACL and Unix permissions. You will find setfacl command usage examples in these two sections : Adding a particular user to an ACL and Adding a particular group to an ACL.
  • All the management commands of the ACLs on Ergon can be entered from a session on Adapp; you can then access your Ergon HOME by using the $ARCHIVE environment variable:
 [login1@ada:~]$ cd $ARCHIVE
 [login1@ada: login11] ls -ld directory_with_acl directory_without_acl
 drwxr-x---+ 2 login1 grp 8192 2014-03-29 11:00 directory_with_acl
 drwxr-x---  2 login1 grp  8192 2014-03-29 11:00 directory_without_acl

Note: In the examples which follow, for the sake of coherence, the commands are all entered from Ergon but this is not necessary as they can also be entered from other machines.

Viewing the ACLs

The getfacl command gives a detailed display of the ACLs which are positioned on a directory or a file (for more information, see the man getfacl):

     getfacl directory

Note : The -l option of the ls command will display the classic Unix permissions and also to see if the ACLs are positioned: a + sign appears just after the Unix permissions.

  
 [login1@ergon1:~]$ ls -ld directory_with_acl directory_without_acl
 drwxr-x---+ 2 login1 grp  8192 2014-03-29 11:00 directory_with_acl
 drwxr-x---  2 login1 grp  8192 2014-03-29 11:00 directory_without_acl

 [login1@ergon1:~]$ ls -l file_with_acl file_without_acl
 -rwx------+ 2 login1 grp  8192 2014-03-29 11:00 file_with_acl
 -rwx------  2 login1 grp  8192 2014-03-29 11:00 file_without_acl

Adding a particular user to an ACL

Example: login1 wants to give specific permissions to user login2 to access his HOME on Ergon.

[login1@ergon1:~]$ cd $HOME
[login1@ergon1:~]$ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx .
[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
user:login1:rwx
group::r-x
mask::rwx
other::---
  • With the obligatory field u::rwx, the login1 owner has rwx permissions on his HOME directory. Be careful, without these permissions, the HOME can no longer by accessed by the owner : It is blocked by the ACLs even if the Unix permissions have been positioned.
  • With the obligatory field g::r-x, the users belonging to the owner's group (grp) have r-x permissions. They can see the contents of the directory but they cannot write in it.
  • With the obligatory field o::---, no other user has any permissions on this directory.
  • With the field u:login2:rwx, you add rwx permissions for the particular user login2 : This user will then be able to read and write on the HOME directory of login1.
  • Do not forget the mask (field m::rwx) : If it is empty (m::---), the field u:login2:rwx will be non-functional.

ATTENTION :

  • You should not use the following command with the complete PATH as this would position the ACLs not only on the HOME itself, but also on all the directories and files contained in this HOME. Example:
setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx /chemin/vers/home/grp/login1
  • An ACL on the HOME directory, implying write permissions for a different user than the owner of the account, makes the SSH key authentication mechanism inoperative (a connection via SSH would then require an account password). For the SSH keys to function, you must verify that the “maximum” Unix permissions are on the HOME (no write permissions for the group and the other users):
[login11@ergon1:~]$ ls -lLd ~
drwxr-xr-x+ 9 login1 grp 4096 Apr 13 09:42 /chemin/vers/home/grp/login1

The option -L is important as the HOME directories on Ergon are symbolic links. The procedure for making your SSH key operative again consists of first activating the ACLs and, afterwards, changing the Unix permissions: From the Ergon HOME, you may use the command chmod 750 ~ which avoids giving access to everyone.

Adding a particular group to an ACL

Example: login1 wants to give specific permissions to a ccc group to access his Ergon HOME.

[login1@ergon1:~]$ cd $HOME
[login1@ergon1:~]$ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .
[login1@ergon1:~]$ getfacl.
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ccc:r-x
mask::rwx
other::---
  • With the obligatory field u::rwx, the login1 owner has rwx permissions on his HOME directory. Attention, without these permissions, the HOME can no longer by accessed by the owner : It would be blocked by the ACLs even if the Unix permissions have been positioned.
  • With the obligatory field g::r-x, the users belonging to the owner's group (grp) have r-x permissions : They can see the contents of the directory but they cannot write in it.
  • With the obligatory field o::---, no other user has any permissions on this directory.
  • With the field g:ccc:r-x, you add r-x permissions for the users belonging to the group ccc: The group will then be able to see the contents of the directory but not write in it.
  • Do not forget the mask (field m::rwx): If it is empty (m::---), the field :ccc:r-x is inoperative.

ATTENTION :

  • You should not use the following command with the complete PATH as this would position the ACLs not only on the HOME itself, but also on all the directories and files contained in this HOME:
setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx /chemin/vers/home/grp/login1
  • An ACL on the HOME directory, implying write permissions for a different user than the owner of the account, makes the SSH key authentication mechanism inoperative (a connection via SSH would then require an account password). For the SSH keys to function, you must verify that the following “maximum” Unix permissions are on the HOME (no write permissions for the group and the other users):
[login1@ergon1:~]$ ls -lLd ~
drwxr-xr-x+ 9 login1 grp 4096 Apr 13 09:42 /chemin/vers/home/grp/login1

The option -L is important as the HOME directories on Ergon are symbolic links. The procedure for making your SSH key operative again consists of first activating the ACLs and, afterwards, changing the Unix permissions. From the Ergon HOME, you may use the command chmod 750 ~ which avoids giving access to everyone.

Updating an ACL

To modify the ACLs, you can use the setfacl command with either:

  • The –set=… option: The previously positioned ACLs will then be overwritten.
  • The -m … option: The existing ACLs will be modified.

Note that you must specify at least the fields u::rwx, g::…, o::--- and not forget the mask m::rwx to be sure that the ACLs positioned for the specified group(s) (ccc and grp in the example below) will be effective.

Firstly, you should position the ACLs for the group ccc :

[login1@ergon1:~]$ cd $HOME

[login1@ergon1:~]$ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .
[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ccc:r-x
mask::rwx
other::---

Then you modify the ACL by changing the group :

[login1@ergon1:~]$ setfacl --set=u::rwx,g::r-x,g:grp:r-x,o::---,m::rwx .
[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:grp:r-x
mask::rwx
other::---

This time, you modify the ACLS by adding a second group:

[login1@ergon1:~]$ setfacl -m u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .
[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:grp:r-x
group:ccc:r-x
mask::rwx
other::---

Deleting an ACL

To delete an ACL, you can use the setfacl command with the option-b:

[login1@ergon1:~]$ cd $HOME
[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
group:ccc:r-x
mask::rwx
other::---

[login1@ergon1:~]$ setfacl -b .
[login1@ergon1:~]$ ls -ld .
drwxr-x---  2 login1 grp  8192 2014-03-29 11:00 .
[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
group::r-x
other::---

Advice for using the ACLs

We advise you to place an ACL only on your HOME directory to filter the access, then position the Unix permissions on the files and directories the ACL contains by using the chmod command.

For example, we are in the login1 account on Ergon:

[login1@ergon1:~]$ cd $HOME
[login1@ergon1:~]$ setfacl --set=u::rwx,u:login3:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx .
[login1@ergon1:~]$ chmod 757 file
[login1@ergon1:~]$ ls -ld . file
drwxrwx---+ 0 login1 grp 4096 2014-03-30 11:46 .
-rwxr-xrwx  0 login1 grp 1001 2014-03-30 11:46 file

[login1@ergon1:~]$ getfacl .
# file: .
# owner: login1
# group: grp
user::rwx
user:login3:rwx
group::r-x
group:bbb:r-x
other::---

If we analyse these access permissions, we can see that:

  • User login3 has rwx ACLs on HOME and rwx Unix permissions (field: other) on file. This user, therefore, has read and write access to the file contained in the HOME of login1. Note that this user can also create new files and directories in the HOME of login1 through the ACLs. Moreover, the user can modify the content of the subdirectories if this is authorised by the Unix permissions (field: other).
  • The owner group (grp) has the r-x ACLs on the HOME and the rwx Unix permissions (field: group) on file. As a result, the members of the group grp can read the file but not write in (or modify) it. The group members cannot create anything directly in the HOME of login1 (ACL). However, they can modify the content of the subdirectories if this is authorised by the Unix permissions (field: group).
  • Group bbb, however, has the r-x ACL on the HOME and the rwx Unix permissions (field: other) on file. The members of the bbb group can, therefore, go through the HOME and read or write (therefore, modify or overwrite) file, which is perhaps an undesired result. However, as grp, they cannot create anything directly in the HOME of login1 (ACL). However, they can modify the content of the subdirectories if this is authorised by the Unix permissions (field: other).
  • To prevent the group bbb from overwriting file, you could be tempted to delete the Unix write permission in the other field by using the chmod 755 file command. However, this would also prevent login3 from modifying the file.

In this case, it's also necessary to put an ACL on file:

[login1@ergon1:~]$ setfacl --set=u::rwx,u:login3:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx file
[login1@ergon1:~]$ getfacl file
# file: file
# owner: login1
# group: grp
user::rwx
user:login3:rwx
group::r-x
group:bbb:r-x
other::---