The idracl command

Data sharing between members of different Unix groups is sometimes a necessity. In this case, it is simpler to allow data access to all those who need it rather than duplicating the data, implying problems of volumetry and coherence. This type of data sharing requires opening access rights on one or more directories but, for reasons of security, you must be careful to not be too permissive.

Complementing the Unix access rights, the ACL rights control data access more finely. The ACL allows opening rights for one or several specific logins as well as for one or more clearly identified Unix groups. However, setting the ACL rights can be tricky, especially for users who are not familiar with this. This is the reason that IDRIS has developed the idracl command which allows you to easily add or delete the ACL rights on your HOME, WORKDIR and ARCHIVE directories.

Note that the reasons for using this command are further justified in the security rules found on the following page: How to configure the access rights to your data. To set the access rights to your disk spaces on our machines, we recommend that you follow the specific instructions found on that page.

The idracl command accepts several options which are indicated through a simple call to the command:

$ idracl
                                                                                                
la "idracl" permet de gerer les acces bases sur des ACLs                                 
en mode "r-x" des repertoires: :                                                                 
 /path/to/your/home  ($HOME) ; le defaut                                                
 /path/to/your/workdir  ($WORKDIR)                                                        
 /path/to/your/archive  ($ARCHIVE)                                                       
                                                                                                
Syntaxe :                                                                                       
                                                                                                
idracl [ -e | -w ] { -l | -a | -d | -z } { -u login | -g groupe }                 
 -e : ergon, actions a effectuer sur /chemin/vers/votre/archive
 -w : work, actions a effectuer sur /chemin/vers/votre/workdir
 -l : liste les logins et/or groupes authorises autorises                                                  
 -a { -u login | -g groupe } : autorise le login ou le groupe                                   
 -d { -u login | -g groupe } : supprime l'acces pour le login ou le groupe                      
 -z : supprime tous les acces                                                                   

Note that the idracl command includes two types of options, and these depend on the machine on which you are connected :

  1. The options indicating the disk space on which you want to add, remove or list the ACL rights:
    • Option -e for the ARCHIVE disk space: exists exclusively for Adapp which is the only machine with the ARCHIVE variable.
    • Option -w for the WORKDIR: exclusively for the computing machines.
    • Without the -e and -w options, the idracl command sets the ACL rights on the HOME, by default.
  2. The options indicating the action to take:
    • Option -l allows you to list the logins and/or groups authorised to access the directory.
    • Option -a { -u login | -g group } allows you to add the ACL rights on a directory for a given login or group; successive calls to the command allow you to authorise several logins and/or groups.
    • Option -d { -u login | -g groupe } allows you to delete the ACL rights on a directory for a given login or group; successive calls to the command will allow you to delete several logins and/or groups.
    • Option -z allows you to delete all the ACLs of a directory; access to the directory is then controlled only by the Unix rights.

Comments :

  1. The ACL rights set by the idracl command do not authorise others (besides the owner) to write on the concerned directory: HOME, WORKDIR or ARCHIVE (another person cannot, therefore, create a file or a sub-directory there). The ACL rights only allow access to the concerned directory itself. Note that this is sufficient to give access to the file(s) and sub-directories which are in the concerned directory and for which the Unix rights are open to people other than the owner.
  2. It is important to restrict the Unix rights of the files and sub-directories which you do not want to share in order to prevent an ill-intentioned person from modifying the contents. Remember to restrict access to your hidden files and directories by using the command, chmod go-rwx $HOME/.[!\.]*.
  3. The data to be shared will be saved in one or more sub-directories for which you set the Unix rights in function of the desired sharing mode (read, write or both).

Some examples of using the idracl command:

  • Adding the ACL rights (option -a) on the ARCHIVE space (option -e but only from the Adapp pre-/post-processing machine) to authorise access to members of the Unix group, grp2 (assuming this is not the group of the directory owner). Note that when the ACL rights are set, the ls -ld command does not necessarily return tie tue$access rights of the directory (in the example below, the r-w rights are for grp2 and not for the owner's group, grp) and displays a + sign just after the access rights:
    $ idracl -e -a -g grp2 
    $ idracl -e -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /path/to/your/archive
    ===============================================
     logins autorises : 
     groupes autorises : grp2
    
    $ ls -ld $ARCHIVE
    drwxr-x---+ 19 login grp 131072 Nov 16  2015 /path/to/your/archive
  • Adding the ACL rights (option -a) on the WORKDIR disk space (option -w) for two logins (login1 and login2) and two Unix groups (grp1 and grp2) by making several calls to the command:
    $ idracl -w -a -u login1 
    $ idracl -w -a -u login2 
    $ idracl -w -a -g grp1 
    $ idracl -w -a -g grp2 
    
    $ idracl -w -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /path/to/your/workdir
    ===============================================
     logins autorises : login1 login2
     groupes autorises : grp1 grp2
  • The idracl command also permits deleting the ACL rights, either partially (option -d) or totally (option -z). For example, with the HOME :
    $ idracl -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /path/to/your/home
    ===============================================
     logins autorises : login1
     groupes autorises : grp1 grp2
    
    $ idracl -d -g grp1 
    $ idracl -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /path/to/your/home
    ===============================================
     logins autorises : login1
     groupes autorises : grp2
    
    $ idracl -z 
    $ idracl -l
    Liste des logins et groupes autorises a acceder 
     a mon espace /path/to/your/home
    ===============================================
     logins autorises : 
     groupes autorises :