Table des matières
Jean Zay: File access management, ACLs
Unix permissions
Unix permissions allow giving different access rights in read, write and/or execution to each of the following:
- The file owner
- Users belonging to the same Unix group as the file owner
- All the other users
The Unix permissions may be modified by simply using the chmod
command (for more information, see man chmod
). Most of the time, the Unix permissions are sufficient. However, by using the ACLs (Access Control Lists), you can control the access to your data more precisely: for example, by giving access to only one user (no matter from which group).
The ACLs
If you wish to give access rights to a particular user and/or group, you can define an ACL (Access Control List) for the chosen file or directory via the setfacl
command. The general syntax is as follows:
$ setfacl ACL_OPTIONS directory
The ACL_OPTIONS
can have one of the following forms:
- To create or replace an existing ACL:
--set=u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
- To modify an existing ACL:
-m u::rwx,[u:login:[r|-][w|-][x|-]],g::[r|-][w|-][x|-],[g:groupe:[r|-][w|-][x|-]],o::[r|-][w|-][x|-][,m::rwx]
- To delete an existing ACL:
-b
For more information, type the man setfacl
command.
Important comments:
- When you set ACL rights on a directory (for example
$WORK/sub_dir/shared_dir
) or on a file, you must also set ACL rights allowing access to each of the directories that make up the path to this directory (for this example$WORK
andsub_dir
). Otherwise, access will be denied. - The
rwx
rights have the same meaning as the classic Unixrwx
permissions. - A syntactically valid ACL must contain at least the following three fields, separated by commas:
- A field beginning with
u
(for user) without mentioning the login: This corresponds to the rights given to the file or directory owner. For a directory (or an executable file), we advise you to position:
u::rwx
and for a file:
u::rw
- A field beginning with
g
(for group) without mentioning a group. This corresponds to the rights given to the file owner's group:
g::[r|-][w|-][x|-]
- A field beginning with
o
(for other) without any mention. This corresponds to the rights given to users who are not mentioned in fieldsu
andg
:
o::[r|-][w|-][x|-]
.
Using the setfacl
command with only these three fields gives the same rights as the Unix chmod
command and, therefore, has little interest.
For example, the following setfacl
command gives all the rights to the owner (u::rwx) of my_directory
and allows members of the owner's group (g::r-x) to consult the directory contents in read mode only:
$ setfacl --set=u::rwx,g::r-x,o::--- my_directory
Caution: All access to subdirectories and files contained in my_directory
remains controlled by Unix permissions.
To enlarge the access rights, it is necessary to add at least one of the first two following fields (u
, g
) to the three fields listed above and imperatively add the last field (m
):
- A
u
field with mention of the login, corresponding to the rights given to a particular user (here:login
):
u:login:[r|-][w|-][x|-]
- A
g
field with mention of the group, corresponding to the rights attributed to all members of the specified group (here:group
):
g:group:[r|-][w|-][x|-]
- It is obligatory to also have the field beginning with
m
(as in mask) which defines the maximum (or “effectives”) rights for users concerned by theu:login:…
and/org:group:…
fields. It is advised to give the highest level of rights to the mask (m::rwx
) so as not to restrict the rights given to a login and/or to a group.
For more information, see section Dependencies between ACL and Unix permissions. You will find setfacl
command usage examples in the following two sections: Adding a particular user to an ACL and Adding a particular group to an ACL.
Viewing the ACLs
The getfacl
command provides a detailed display of the ACLs attached to a directory or a file (for more information, see man getfacl
):
$ getfacl directory
Note : The -l
option of the ls
command will display the classic Unix permissions. You can also see if the ACLs are set which is indicated by a +
sign just after the Unix permissions.
$ ls -ld directory_with_acl directory_without_acl drwxr-x---+ 2 login1 grp 8192 2014-03-29 11:00 directory_with_acl drwxr-x--- 2 login1 grp 8192 2014-03-29 11:00 directory_without_acl $ ls -l file_with_acl file_without_acl -rwx------+ 2 login1 grp 8192 2014-03-29 11:00 file_with_acl -rwx------ 2 login1 grp 8192 2014-03-29 11:00 file_without_acl
Adding a specific user to an ACL
If login1
user wants to give read and write permissions to login2
for accessing DIR_login1
, for example, login1
must use the setfacl
command as follows:
[login1@hostname:~]$ cd $DIR_login1 [login1@hostname:~]$ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx .
login1
can check the ACL rights by using the getfacl
command:
[login1@hostname:~]$ getfacl . # file: . # owner: login1 # group: grp user::rwx user:login2:rwx group::r-x mask::rwx other::---
Comments:
- With the obligatory field
u::rwx
, thelogin1
owner hasrwx
permissions onDIR_login1
. Be careful, without these permissions, theDIR_login1
can no longer be accessed by the owner: It is blocked by the ACLs even if the Unix permissions were set. - With the obligatory field
g::r-x
, users belonging to the owner's group (grp
) haver-x
rights: They can, therefore, go through the directory and see its contents but they cannot write in it. - With the obligatory field
o::---
, no other user has any rights for this directory. - With the field
u:login2:rwx
specified,login1
addsrwx
permissions for only thelogin2
user who can, therefore, read and write inDIR_login1
. - Do not forget the mask field (
m::rwx
): If it is empty (m::---
), theu:login2:rwx
field will be inoperative.
IMPORTANT :
- You should not use the full path name of your
HOME
as this would set the ACLs both on yourHOME
itself and also on all the directories and files contained in it. Therefore, you must avoid the following type of command:$ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx /full/path/to/home
- An ACL on your
HOME
directory, implying write permissions for another user, makes the SSH key authentication mechanism inoperative (an SSH connection would then require the password). For the SSH keys to function, you must verify that you have the “maximum” Unix permissions on the HOME (no write permissions except for the owner), as shown below:$ ls -ld ~ drwxr-xr-x+ 9 login grp 4096 Apr 13 09:42 /full/path/to/home
If needed, the procedure for making your SSH key operative again consists of first activating the ACLs and then changing the Unix permissions to your
HOME
by using thechmod 750 ~
command. This avoids giving access in write to everyone:$ cd $HOME $ setfacl --set=u::rwx,u:login2:rwx,g::r-x,o::---,m::rwx . $ chmod 750 ~
Adding a specific group to an ACL
If login1
wants to give specific permissions to a ccc
group to access DIR_login1
, for example, login1
needs to use the setfacl
command as shown below:
[login1@hostname:~]$ cd $DIR_login1 [login1@hostname:~]$ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx .
Next, the ACL rights can be verified by using the getfacl
command:
[login1@hostname:~]$ getfacl. # file: . # owner: login1 # group: grp user::rwx group::r-x group:ccc:r-x mask::rwx other::---
Comments:
- With the obligatory field
u::rwx
, thelogin1
owner hasrwx
rights onDIR_login1
. Be careful, without these rights, the directory can no longer be accessed by the owner: It is blocked by the ACLs even if the Unix permissions were set. - With the obligatory field
g::r-x
, the users belonging to the owner's group (grp
) haver-x
rights: Therefore, they can go through the directory and see its contents but cannot write in it. - With the obligatory field
o::---
, no other user has any rights to this directory. - With the
g:ccc:r-x
field,login1
addsr-x
permissions for the users belonging to theccc
group: Theccc
members are then able to go through the directory and see its contents but not write in it. - Do not forget the mask field (
m::rwx
): If it is empty (m::---
), the:ccc:r-x
field is inoperative.
IMPORTANT :
- You should not use the full path name of your
HOME
as this would not only set the ACLs on yourHOME
itself but also on all the directories and files contained in it. Therefore, you must avoid the following type of command:$ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx /full/path/to/home
- An ACL on your
HOME
directory, implying write permissions for another user, makes the SSH key authentication mechanism inoperative (an SSH connection would then require the password). For the SSH keys to function, you must verify that you have the “maximum” Unix permissions on the HOME (no write permissions except for the owner), as shown below:$ ls -ld ~ drwxr-xr-x+ 9 login grp 4096 Apr 13 09:42 /full/path/to/home
If needed, the procedure for making your SSH key operative again consists of first activating the ACLs and then changing the Unix permissions to your
HOME
by using thechmod 750 ~
command. This avoids giving access in write to everyone:$ cd $HOME $ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx . $ chmod 750 ~
Updating ACLs
To modify an ACL, you can use the setfacl
command with either:
- The
--set=...
option: The existing ACLs will be overwritten. In this case, you must always specify theu::rwx
,g::...
,o::---
fields and not forget the mask (m::rwx
) to be sure that the ACLs set for the specified login(s) and/or group(s) will actually be effective. - or, the
-m ...
option: The existing ACLs will be modified (but not overwritten).
In the following example, the ACLs were initially set on MY_DIR
for the ccc
Unix group via the --set=...
option. This requires specifying each field:
$ cd $MY_DIR $ setfacl --set=u::rwx,g::r-x,g:ccc:r-x,o::---,m::rwx . $ getfacl . # file: . # owner: login1 # group: grp user::rwx group::r-x group:ccc:r-x mask::rwx other::---
This ACL can then be modified via the --set=...
option, replacing the ccc
group with the ddd
group. However, this requires specifying each field again:
$ cd MY_DIR $ setfacl --set=u::rwx,g::r-x,g:ddd:r-x,o::---,m::rwx . $ getfacl . # file: . # owner: login1 # group: grp user::rwx group::r-x group:ddd:r-x mask::rwx other::---
In the following case, the ACLS are modified via the -m
option to add a second group (bbb
). Here, the other fields do not need to be specified again:
$ cd MY_DIR $ setfacl -m g:bbb:r-x . $ getfacl . # file: . # owner: login1 # group: grp user::rwx group::r-x group:bbb:r-x group:ddd:r-x mask::rwx other::---
Deleting ACLs
To delete an ACL, you can use the setfacl
command with option-b
:
$ cd MY_DIR $ ls -ld . drwxr-x---+ 2 login1 grp 8192 2014-03-29 11:00 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx group::r-x group:ccc:r-x mask::rwx other::--- $ setfacl -b . $ ls -ld . drwxr-x--- 2 login1 grp 8192 2014-03-29 11:00 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx group::r-x other::---
Advice for using ACLs
We advise you to place an ACL only on the root directory of a shared tree hierarchy in order to filter the access. Then set the Unix permissions for the files and sub-directories it contains by using the chmod
command.
For example, the login1
account wants to share a file hierarchy contained in ROOT_TREE
with the login3
account and the bbb
Unix group:
[login1@hostname:~]$ cd ROOT_TREE [login1@hostname:~]$ setfacl --set=u::rwx,u:login3:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx . [login1@hostname:~]$ ls -l . drwxrwx---+ 0 login1 grp 4096 2014-03-30 11:46 . -rwxr-xrwx 0 login1 grp 1001 2014-03-30 11:46 file1 drwxrwxrwx 0 login1 grp 4096 2014-03-30 11:46 SUB_DIR [login1@hostname:~]$ getfacl . # file: . # owner: login1 # group: grp user::rwx user:login3:rwx group::r-x group:bbb:r-x mask::rwx other::---
If we analyse these access rights, we can see that:
- The ACL gives
rwx
access rights tologin3
for theROOT_TREE
directory andrwx
Unix permissions (field: other) forfile1
. Therefore,login3
can accessfile1
contained inlogin1
'sROOT_TREE
. Note, also due to the ACLrwx
,login3
can create new files and directories inlogin1
'sROOT_TREE
. Furthermore,login3
can see and modify the contents of sub-directories (such asSUB_DIR
) if authorised by the Unix permissions (field: other). - The owner group (
grp
) hasr-x
rights for theROOT_TREE
andr-x
Unix permissions (field: group) forfile1
. As a result, the members of the group (grp
) can go through theROOT_TREE
and readfile1
but not write in (or modify) it. They also cannot create anything directly inlogin1
'sROOT_TREE
(ACLr-x
). They can, however, see and modify the contents of sub-directories (such asSUB_DIR
) if authorised by the Unix permissions (field: group). - Note that group
bbb
hasr-x
rights for theROOT_TREE
andrwx
Unix permissions (field: other) forfile1
. Members of groupbbb
can, therefore, go through theROOT_TREE
and read or write in (including modify or overwrite)file1
, which may not be a desired result. However, as withgrp
, they cannot create anything directly inlogin1
'sROOT_TREE
(ACLr-x
). Nevertheless, they can see and modify the contents of sub-directories (such asSUB_DIR
) if authorised by the Unix permissions (field: other). - To prevent group
bbb
from overwritingfile1
, you might think of deleting the Unix write permission in the “other” field by using thechmod 755 file1
command. However, this would also preventlogin3
from modifying the file. Therefore, if you want to do this, you have to also set an ACL onfile1
:$ setfacl --set=u::rwx,u:login3:rwx,g::r-x,g:bbb:r-x,o::---,m::rwx file1 $ getfacl file1 # file: file1 # owner: login1 # group: grp user::rwx user:login3:rwx group::r-x group:bbb:r-x mask::rwx other::---
Dependencies between ACLs and Unix permissions (for experienced users)
There are two types of access rights: the classic Unix permissions and the ACL rights. The setfacl
command modifies the ACLs and also the Unix permissions. However, the chmod
Unix command only modifies some ACL fields.
To understand this interdependence, it is necessary to explain the functionality of the mask field of an ACL (mask::...
). In fact, the effective rights of users concerned by the user:login:...
, group::...
and group:bbb:...
fields can be restricted by the rights in the mask.
Effect of ACLs on Unix permissions
As example, an ACL is set on the current directory (where you are) as indicated below:
$ setfacl --set=u::rwx,u:login3:rwx,g::rwx,g:bbb:rwx,o::---,m::r-x . $ ls -ld . drwxr-x---+ 0 login1 grp 4096 2014-03-30 16:28 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx # independent of the ACL mask user:login3:rwx # but r-x effective rights because of the ACL mask group::rwx # but r-x effective rights because of the ACL mask group:bbb:rwx # but r-x effective rights because of the ACL mask mask::r-x # ACL mask other::--- # independent of the ACL mask
Comments about the ACL rights:
- The
login3
user, the members of the owner group (grp
) and those of thebbb
group, haver-x
as their effective rights and notrwx
as hoped because of the requested ACL mask (m::r-x
). Thesetfacl
command effectuates a bitwise logical AND operation between each field of ACL rights requested,u:login3:rwx
,g::rwx
,g:bbb:rwx
, and the requested ACL mask,m::r-x
. - However, the ACL mask does not apply when determining the
user::rwx
rights of the owner and theother::---
rights of users who are not concerned by the fieldsuser:login3:rwx
,group::rwx
andgroup:bbb:rwx
: It is the ACL rights requested viasetfacl
which apply here (u::rwx
eto::---
).
Comments about the Unix permissions:
- The
login1
owner of the directory hasrwx
permissions, corresponding to the ACLuser::rwx
field. - The group (
grp
) owner hasr-x
permissions, corresponding to the ACLmask::r-x
which defines the maximum rights of users concerned by the fieldsuser:login3:rwx
,group::rwx
andgroup:bbb:rwx
. - Users who do not belong to the preceding categories have no permissions (
---
), corresponding to the ACLother::---
field.
Effect of Unix permissions on ACLs
Inversely, to better understand the effect of the Unix chmod
command on the current directory (where you are working) where access is supposed to be determined by ACL, we start from the following situation:
$ setfacl --set=u::r-x,u:login3:rwx,g::---,g:bbb:r-x,o::---,m::--- . $ ls -ld . dr-x------+ 15 login1 grp 4096 2014-03-30 16:28 . $ getfacl . # file: . # owner: login1 # group: grp user::r-x # independent of the ACL mask user:login3:rwx # but --- effective rights because of the ACL mask group::--- # --- effective rights as requested via setfacl (g::---) group:bbb:r-x # but --- effective rights because of the ACL mask mask::--- # ACL mask empty other::--- # independent of the ACL mask
Comments:
- You can see that the effective rights are empty (because the ACL mask is empty): The
login3
user and thebbb
group, therefore, have no rights to the directory despite the requested ACL fields (u:login3:rwx
andg:bbb:r-x
). - The Unix permissions indicated by the
ls -ld .
command confirm that only the owner can access the directory.
Next, we observe that the Unix chmod
command modifies the ACLs according to the options used:
chmod u+rwx
modifies the ACLuser::...
field:$ chmod u+w . $ ls -ld . drwx------+ 15 login1 grp 4096 2014-03-30 16:28 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx # independent of the ACL mask but modified by chmod u+... user:login3:rwx # but effective rights --- because of the ACL mask group::--- # effective rights --- as initially requested via setfacl (g::---) group:bbb:r-x # but effective rights --- because of the ACL mask mask::--- # ACL mask empty other::---
chmod g+rwx
modifies the ACLmask::...
field but not the ACLgroup::...
field. However, as the mask influences the effective rights of the ACLgroup::...
,group:bbb:rwx
anduser:login3:rwx
fields, thelogin3
user and thebbb
group obtain their initially requested rights for each respective field with the initialsetfacl
command (u:login3:rwx
andg:bbb:r-x
) :$ chmod g+rwx . $ ls -ld . drwxrwx---+ 15 login1 grp 4096 2014-03-30 16:28 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx user:login3:rwx # and rwx effective rights because of the modified ACL mask group::--- # not modified by chmod g+... ! group:bbb:r-x # and r-x effective rights because of the modified ACL mask mask::rwx # ACL mask modified by chmod g+... other::---
Comment: The rights of the ACL
group::...
field can only be modified by thesetfacl
command:$ setfacl -m g::r-x . $ ls -ld . drwxrwx---+ 15 login1 grp 4096 2014-03-30 16:29 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx user:login3:rwx group::r-x # only modifiable by setfacl ! group:bbb:r-x mask::rwx other::---
- The
chmod o+rx
command modifies the ACLother::...
field:$ chmod o+rx . $ ls -ld . drwxrwxr-x+ 15 login1 grp 4096 2014-03-30 16:29 . $ getfacl . # file: . # owner: login1 # group: grp user::rwx user:login3:rwx group::r-x group:bbb:r-x mask::rwx other::r-x # modified by chmod o+...