Ergon : File access management, ACL

Unix permissions

Unix permissions allow giving different access rights in read, write and/or execution for each of the following categories:

  • The file owner
  • Users belonging to the same Unix group as the file owner
  • All the other users

The Unix permissions may be modified by simply using the chmod command (for more information, see man chmod). Most of the time, the Unix permissions are sufficient. However, by using the ACLs (Access Control Lists), you can control the access to your data more precisely: for example, giving access to one (and only one) user, no matter from which group.

The ACLs

If you wish to give access permissions to a particular user and/or group, you can define an ACL (Access Control List) for the chosen file or directory. The general syntax is as follows:

  setfacl ACL_OPTIONS repertoire

ACL_OPTIONS can have one of the following forms:

  • To create or replace an existing ACL:
--set=u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
  • To modify an existing ACL:
-m u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
  • To delete an existing ACL:
-b

For more information, type the command man setfacl.

Important comments:

  • The rwx permissions have the same meaning as the classic Unix rwx permissions.
  • A syntactically valid ACL must contain the three following fields separated by commas:
    • A field beginning with u (as in user) without mentioning the login corresponds to the permissions given to the file or directory owner. For a directory (or an executable file), we advise you to position:
      u::rwx
      and for a file:
      u::rw
    • A field beginning with g (as in group) without mentioning which group corresponds to the permissions given to the file owner's group:
      g::[r|-][w|-][x|-]
    • A field beginning with o (as in other) without any mention corresponds to the permissions given to users who are not mentioned in sections u and g :
      o::[r|-][w|-][x|-].

Using the setfacl command with only these three fields gives the same permissions as the chmod command. For example, the following setfacl command gives all the permissions to the owner of the directory mon_repertoire and allows members of the owner's group to consult the directory contents, in read only (equivalent to the chmod command) :

setfacl --set=u::rwx,g::r-x,o::--- my_directory

Attention : Access to subdirectories and files contained in mon_repertoire remain controlled by Unix permissions.

  • To expand the access permissions, it is necessary to modify the u field and/or the g field, in addition to adding an m field: :
    • The u field with mention of the login, corresponding to the permissions given to a particular user:
      u:login:[r|-][w|-][x|-]
    • The g field with mention of the group, corresponding to the permissions attributed to the entirety of the specified group:
      g:groupe:[r|-][w|-][x|-]
    • It is obligatory to have a field beginning with m (as in mask) which defines the maximum (or exact) permissions of the users concerned by the u:login:… and/or g:group:… fields. It is advised to give the highest level of permissions (m::rwx) to this mask in order to not restrict the permissions given to a login and/or to a group. For more information, see the following section of this document: Dependencies between ACL and Unix permissions. You will find setfacl command usage examples in these two sections : Adding a particular user to an ACL and Adding a particular group to an ACL.
  • All the management commands of the Ergon ACLs can be entered from a session on Adapp; you can then access your Ergon HOME by using the $ARCHIVE environment variable:
 [rlab001@ada336:~]$ cd $ARCHIVE
 [rlab001@ada336: rlab001] ls -ld directory_with_acl directory_without_acl
 drwxr-x---+ 2 rlab001 lab  8192 2014-03-29 11:00 directory_with_acl
 drwxr-x---  2 rlab001 lab  8192 2014-03-29 11:00 directory_without_acl

Note: In the examples which follow, in order to be coherent, the commands are all entered from Ergon but this is not at all indispensable (as they can also be entered from other machines).

Viewing the ACLs

The getfacl command gives a detailed display of the ACLs which are positioned on a directory or a file (for more information, see the manual, man getfacl):

     getfacl directory

Note : The -l option of the ls command will display the classic Unix permissions and also to see if the ACLs are positioned: a + sign appears just after the Unix permissions.

[rlab001@ergon1:~]$ ls -ld directory_with_acl directory_without_acl
drwxr-x---+ 2 rlab001 lab  8192 2014-03-29 11:00 directory_with_acl
drwxr-x---  2 rlab001 lab  8192 2014-03-29 11:00 directory_without_acl

[rlab001@ergon1:~]$ ls -l file_with_acl file_without_acl
-rwx------+ 2 rlab001 lab  8192 2014-03-29 11:00 file_with_acl
-rwx------  2 rlab001 lab  8192 2014-03-29 11:00 file_without_acl

Adding a particular user to an ACL

For example, rlab001 wants to give specific permissions to user rext001 to access his Ergon HOME.

 [rlab001@ergon1:~]$ cd $HOME
[rlab001@ergon1:~]$ setfacl --set=u::rwx,u:rext001:rwx,g::r-x,o::---,m::rwx .
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
user:rext001:rwx
group::r-x
mask::rwx
other::---
  • With the obligatory field u::rwx, the owner rlab001 has rwx permissions on his HOME directory. Attention, without these permissions, the HOME can no longer by accessed by the owner : It would be blocked by the ACLs even if the Unix permissions have been positioned.
  • With the obligatory field g::r-x, the users belonging to the owner's group (lab) have r-x permissions. They can see the contents of the directory but they cannot write in it.
  • With the obligatory field o::---, no other user has any permissions on this directory.
  • With the field u:rext001:rwx, you add rwx permissions for the particular user rext001 : This user will then be able to read and write on the HOME directory of rlab001.
  • Do not forget the mask (field m::rwx) : If it is empty (m::---), the field u:rext001:rwx will be inoperative.

ATTENTION :

  • You should not use the setfacl command with the complete PATH as this would position the ACLs not only on the HOME itself, but also on all the directories and files contained in this HOME. Example:
setfacl --set=u::rwx,u:rext001:rwx,g::r-x,o::---,m::rwx /linkhome/rech/lab/rlab001
  • An ACL which has write permissions for a different user than the owner on a HOME directory, makes the SSH key authentication mechanism inoperative (a connection via SSH would then require an account password). For the SSH keys to function, you must verify that you have limited the permissions on the HOME (i.e. no write permissions for the group and the other users). Example:
[rlab001@ergon1:~]$ ls -lLd ~
drwxr-xr-x+ 9 rgrp001 grp 4096 Apr 13 09:42 /linkhome/rech/grp/rgrp001

The -L option is important as the HOME directories on Ergon are symbolic links. The procedure for making your SSH key operative again consists of first activating the ACLs and, afterwards, changing the Unix permissions. From the Ergon HOME, you may use the command chmod 750 ~: This command avoids giving access to everyone.

Adding a particular group to an ACL

Example: rlab001 wants to give specific permissions to group ext to access his Ergon HOME.

[rlab001@ergon1:~]$ cd $HOME
[rlab001@ergon1:~]$ setfacl --set=u::rwx,g::r-x,g:ext:r-x,o::---,m::rwx .
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
group::r-x
group:ext:r-x
mask::rwx
other::---
  • With the obligatory field u::rwx, the owner rlab001 has rwx permissions on his HOME directory. Attention, without these permissions, the HOME can no longer by accessed by the owner : It would be blocked by the ACLs even if the Unix permissions have been positioned.
  • With the obligatory field g::r-x, the users belonging to the owner's group (lab) have r-x permissions : They can see the contents of the directory but they cannot write in it.
  • With the obligatory field o::---, no other user has any permissions on this directory.
  • With the field g:ext:r-x, you add r-x permissions for the users belonging to the group ext: The group will then be able to see the contents of the directory but not write in it.
  • Do not forget the mask (field m::rwx): If it is empty (m::---), the field u:rext001:rwx will be inoperative.

ATTENTION :

  • You should not use the setfacl command with the complete PATH as this would position the ACLs not only on the HOME itself, but also on all the directories and files contained in this HOME. Example:
setfacl --set=u::rwx,u:rext001:rwx,g::r-x,o::---,m::rwx /linkhome/rech/lab/rlab001
  • An ACL which has write permissions for a different user than the owner on a HOME directory, makes the SSH key authentication mechanism inoperative (a connection via SSH would then require an account password). In order for the SSH keys to function, you must verify that you have limited the permissions on the HOME (i.e. no write permissions for the group and the other users). Example:
[rlab001@ergon1:~]$ ls -lLd ~
drwxr-xr-x+ 9 rgrp001 grp 4096 Apr 13 09:42 /linkhome/rech/grp/rgrp001

The -L option is important as the HOME directories on Ergon are symbolic links. The procedure for making your SSH key operative again consists of first activating the ACLs and, afterwards, changing the Unix permissions. From the Ergon HOME, you may use the command chmod 750 ~ which avoids giving access to everyone.

Updating an ACL

To modify the ACLs, you can use the setfacl command with either:

  • The –set=… option: The previously positioned ACLs will then be overwritten.
  • The -m … option: The existing ACLs will be modified.

Note that you must specify at least the fields u::rwx, g::…, o::--- and not forget the mask m::rwx to be sure that the ACLs positioned for the specified group(s) (ext and grp in the below example) will be effective.

Firstly, you should position the ACLs for the group ext :

[rlab001@ergon1:~]$ cd $HOME
[rlab001@ergon1:~]$ setfacl --set=u::rwx,g::r-x,g:ext:r-x,o::---,m::rwx .
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
group::r-x
group:ext:r-x
mask::rwx
other::---

Then you modify the ACL by changing the group :

[rlab001@ergon1:~]$ setfacl --set=u::rwx,g::r-x,g:grp:r-x,o::---,m::rwx .
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
group::r-x
group:grp:r-x
mask::rwx
other::---

This time, you modify the ACLS by adding a second group:

[rlab001@ergon1:~]$ setfacl -m u::rwx,g::r-x,g:ext:r-x,o::---,m::rwx .
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
group::r-x
group:grp:r-x
group:ext:r-x
mask::rwx
other::---

Deleting an ACL

To delete an ACL, you can use the setfacl command with the -b option :

[rlab001@ergon1:~]$ cd $HOME
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
group::r-x
group:ext:r-x
mask::rwx
other::---

[rlab001@ergon1:~]$ setfacl -b .
[rlab001@ergon1:~]$ ls -ld .
drwxr-x---  2 rlab001 lab  8192 2014-03-29 11:00 .
[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
group::r-x
other::---

Advice for using the ACLs

We advise you to place an ACL only on your HOME directory to filter the access, then position the Unix permissions on the files and directories the ACL contains by using the chmod command.

For example, we are in the rlab001 account on Ergon:

[rlab001@ergon1:~]$ cd $HOME
[rlab001@ergon1:~]$ setfacl --set=u::rwx,u:raaa001:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx .
[rlab001@ergon1:~]$ chmod 757 file
[rlab001@ergon1:~]$ ls -ld . file
drwxrwx---+ 0 rlab001 lab 4096 2014-03-30 11:46 .
-rwxr-xrwx  0 rlab001 lab 1001 2014-03-30 11:46 file

[rlab001@ergon1:~]$ getfacl .
# file: .
# owner: rlab001
# group: lab
user::rwx
user:raaa001:rwx
group::r-x
group:bbb:r-x
other::---

If we analyse these access permissions, we can see that:

  • User raaa001 has rwx ACLs on HOME and rwx Unix permissions (field: other) on file. This user, therefore, has read and write access to the file contained in the rlab001 HOME. Note that this user can also create new files and directories in the rlab001 HOME through the ACLs. Moreover, the user can modify the content of the subdirectories if this is authorised by the Unix permissions (field: other).
  • The owner group (lab) has the r-x ACLs on the HOME and the rwx Unix permissions (field: group) on file. As a result, the members of the group lab can read the file but not write in (or modify) it. The group members cannot create anything directly in the rlab001 HOME (ACL). However, they can modify the content of the subdirectories if this is authorised by the Unix permissions (field: group).
  • Group bbb, however, has the r-x ACL on the HOME and the rwx Unix permissions (field: other) on file. The members of the bbb group can, therefore, go through the HOME and read or write (therefore, modify or overwrite) file, which is perhaps an undesired result. However, because it is lab, they cannot create anything directly in the rlab001 HOME (ACL). However, they can modify the content of the subdirectories if this is authorised by the Unix permissions (field: other).
  • To prevent the group bbb from overwriting file, you could be tempted to delete the Unix write permission in the other field by using the chmod 755 file command. However, this would also prevent raaa001 from modifying the file.
[rlab001@ergon1:~]$ setfacl --set=u::rwx,u:raaa001:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx file
[rlab001@ergon1:~]$ getfacl file
# file: file
# owner: rlab001
# group: lab
user::rwx
user:raaa001:rwx
group::r-x
group:bbb:r-x
other::---