Alvaro Lopez Ortega    
All | Cherokee | Community | General | JDS
Archives
« November 2009
MonTueWedThuFriSatSun
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
      
Today
XML
Search

Links
Cherokee
My Talks
alobbs.com
 

blogs.sun.com
Weblog
About
Login
 

Today's Page Hits: 215

« MD5 and Apache magic... | Main | Log statistics with... »
20051013 Thursday October 13, 2005
Let's use ACLs
I have been working on some ACL stuff for a while. It has been interesting and I have learned many new things..

Now, I wonder why people do not use ACLs as much as they should. Most Linux distributions do not mount the file system with ACLs support by default. You need to add the option "acl" to the fstab entry in order to enable it, or just remount the partition: 

# mount -o remount,acl /
On the other hand, with the OpenSolaris filesystem: UFS, you can use ACL from the start, which is something really handy :-)

Let's see some examples on how to use ACLs (works on both: OpenSolaris and Linux):

- Create a test directory and read the ACLs 

alo@ferrari:~/tmp$ mkdir test
alo@ferrari:~/tmp$ getfacl test 
# file: test
# owner: alo
# group: alo
user::rwx
group::r-x
other::r-x
- Set a directory default ACL 
alo@ferrari:~/tmp$ setfacl -m d:u::rwx,d:g::r-x,d:o:---,d:m:rwx test 
alo@ferrari:~/tmp$ setfacl -m d:u:www-data:rwx test 
alo@ferrari:~/tmp$ getfacl test 
# file: test
# owner: alo
# group: alo
user::rwx
group::r-x  
mask:r-x
other:r-x
default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask:rwx
default:other:---
Every file created inside the test directory is inheriting the default ACLs we set before: 
alo@ferrari:~/tmp$ touch test/file
alo@ferrari:~/tmp$ getfacl test/file 
# file: test/file
# owner: alo
# group: alo
user::rw-
user:www-data:rwx 
group::r-x        
mask:rw-
other:---
- Set a single ACL entry for the user dummy 
alo@ferrari:~/tmp$ setfacl -m u:dummy:r-- test/file

alo@ferrari:~/tmp$ getfacl test/file 
# file: test/file
# owner: alo
# group: alo
user::rw-
user:dummy:r--
user:www-data:rwx
group::r-x
mask::rwx
other::---

Oct 13 2005, 02:37:46 PM GMT+00:00 Permalink Comments [3]

Trackback URL: http://blogs.sun.com/alvaro/entry/let_s_use_acls
Comments:

But wouldn't it be wonderful if Nautilus would support ACL?

Posted by Qwerty on October 13, 2005 at 03:03 PM GMT+00:00 #

My guess is that no one uses ACL because none of the modern graphical environments provide an ACL editor. Managing ACLs from a shell is horrendous. CDE (awful that it may be) provides a wonderful ACL editor which really should be reimplemented in GNOME. For Nautilus the best thing that exists is an properties page extension called Eiciel. The only system I've seen including Eiciel is Ubuntu Linux (and probably Debian).

Posted by Augur on October 13, 2005 at 04:12 PM GMT+00:00 #

In addition to the lack of GUIs, I believe that people do not use ACLs because of 2 main reasons : 1) Distributions do not usually activate ACLs on filesystems 2) ACL documentation is a little obscure, it speaks about objects attributes, etc.. Clear documentation is the key to adoption, I think. What about having distribution use ACLs by default for system files ? Several files in /etc and /var would benefit from being ACL'ed..

Posted by Sami Dalouche on January 15, 2006 at 10:28 PM GMT+00:00 #

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed