The idracl command
Data sharing between members of different Unix groups is sometimes a necessity. In this case, it is simpler to allow data access to all those who need it rather than duplicating the data, implying problems of volumetry and coherence. This type of data sharing requires opening access rights on one or more directories but, for reasons of security, you must be careful to not be too permissive.
Complementing the Unix access rights, the ACL rights control data access more finely. The ACL allows opening rights for one or several specific logins as well as for one or more clearly identified Unix groups. However, setting the ACL rights can be tricky, especially for users who are not familiar with this. This is the reason that IDRIS has developed the idracl command which allows you to easily add or delete the ACL rights on your HOME, WORKDIR and ARCHIVE directories.
Note that the reasons for using this command are further justified in the security rules found on the following page: How to configure the access rights to your data. To set the access rights to your disk spaces on our machines, we recommend that you follow the specific instructions found on that page.
The idracl command accepts several options which are indicated through a simple call to the command:
$ idracl
la "idracl" permet de gerer les acces bases sur des ACLs
en mode "r-x" des repertoires: :
/path/to/your/home ($HOME) ; le defaut
/path/to/your/workdir ($WORKDIR)
/path/to/your/archive ($ARCHIVE)
Syntaxe :
idracl [ -e | -w ] { -l | -a | -d | -z } { -u login | -g groupe }
-e : ergon, actions a effectuer sur /chemin/vers/votre/archive
-w : work, actions a effectuer sur /chemin/vers/votre/workdir
-l : liste les logins et/or groupes authorises autorises
-a { -u login | -g groupe } : autorise le login ou le groupe
-d { -u login | -g groupe } : supprime l'acces pour le login ou le groupe
-z : supprime tous les acces
Note that the idracl command includes two types of options, and these depend on the machine on which you are connected :
- The options indicating the disk space on which you want to add, remove or list the ACL rights:
- Option
-efor theARCHIVEdisk space: exists exclusively for Adapp which is the only machine with theARCHIVEvariable. - Option
-wfor theWORKDIR: exclusively for the computing machines. - Without the
-eand-woptions, the idracl command sets the ACL rights on theHOME, by default.
- The options indicating the action to take:
- Option
-lallows you to list the logins and/or groups authorised to access the directory. - Option
-a { -u login | -g group }allows you to add the ACL rights on a directory for a givenloginorgroup; successive calls to the command allow you to authorise several logins and/or groups. - Option
-d { -u login | -g groupe }allows you to delete the ACL rights on a directory for a givenloginorgroup; successive calls to the command will allow you to delete several logins and/or groups. - Option
-zallows you to delete all the ACLs of a directory; access to the directory is then controlled only by the Unix rights.
Comments :
- The ACL rights set by the
idraclcommand do not authorise others (besides the owner) to write on the concerned directory:HOME,WORKDIRorARCHIVE(another person cannot, therefore, create a file or a sub-directory there). The ACL rights only allow access to the concerned directory itself. Note that this is sufficient to give access to the file(s) and sub-directories which are in the concerned directory and for which the Unix rights are open to people other than the owner. - It is important to restrict the Unix rights of the files and sub-directories which you do not want to share in order to prevent an ill-intentioned person from modifying the contents. Remember to restrict access to your hidden files and directories by using the command,
chmod go-rwx $HOME/.[!\.]*. - The data to be shared will be saved in one or more sub-directories for which you set the Unix rights in function of the desired sharing mode (read, write or both).
Some examples of using the idracl command:
- Adding the ACL rights (option
-a) on theARCHIVEspace (option-ebut only from the Adapp pre-/post-processing machine) to authorise access to members of the Unix group,grp2(assuming this is not the group of the directory owner). Note that when the ACL rights are set, thels -ldcommand does not necessarily return the true access rights of the directory (in the example below, ther-wrights are forgrp2and not for the owner's group,grp) and displays a+sign just after the access rights:$ idracl -e -a -g grp2 $ idracl -e -l Liste des logins et groupes autorises a acceder a mon espace /path/to/your/archive =============================================== logins autorises : groupes autorises : grp2 $ ls -ld $ARCHIVE drwxr-x---+ 19 login grp 131072 Nov 16 2015 /path/to/your/archive
- Adding the ACL rights (option
-a) on theWORKDIRdisk space (option-w) for two logins (login1andlogin2) and two Unix groups (grp1andgrp2) by making several calls to the command:$ idracl -w -a -u login1 $ idracl -w -a -u login2 $ idracl -w -a -g grp1 $ idracl -w -a -g grp2 $ idracl -w -l Liste des logins et groupes autorises a acceder a mon espace /path/to/your/workdir =============================================== logins autorises : login1 login2 groupes autorises : grp1 grp2
- The
idraclcommand also permits deleting the ACL rights, either partially (option-d) or totally (option-z). For example, with theHOME:$ idracl -l Liste des logins et groupes autorises a acceder a mon espace /path/to/your/home =============================================== logins autorises : login1 groupes autorises : grp1 grp2 $ idracl -d -g grp1 $ idracl -l Liste des logins et groupes autorises a acceder a mon espace /path/to/your/home =============================================== logins autorises : login1 groupes autorises : grp2 $ idracl -z $ idracl -l Liste des logins et groupes autorises a acceder a mon espace /path/to/your/home =============================================== logins autorises : groupes autorises :