Access control lists

From MEPIS Documentation Wiki

Jump to: navigation, search

By default, Linux uses a very simple file permissions system that allows you to set file permissions for the owner, group, and everyone else. This covers most situations, but if it isn't enough you can install and configure support for Access Control Lists.

With an Access Control List, you still have the default, user-group-everyone permissions, but you can also specify permissions per user or group apart from the owner and owning group. If you are familiar with permissions on Windows NT, 2000, XP pro, and Vista, this is the same basic concept.

Installing

Setting up ACL's is done per partition. If you have a separate root and home partition, you may want to set up ACL's only on the home partition. In this example, we'll pretend we have a home partition on sda3, using the ext3 file system.

  1. Make sure you have the "acl" package installed. It is not installed by default.
    apt-get install acl
  2. Now, as root, we need to open the /etc/fstab file. In our case, we need to change this line:
    /dev/sda3  /home  ext3  defaults  0  0
    to this:
    /dev/sda3 /home  ext3  defaults,acl  0 0
    In other words, we need to add ",acl" after the defaults keyword (with no space).
  3. Having done this, either reboot, or remount the partition with the command:
    mount /home -o remount
  4. Now, let's see if it worked:
    1. Open your home directory in konqueror.
    2. Right click on a file or folder and select "Properties"
    3. Go to the "Permissions" tab and click "Advanced".
    4. You should see a dialogue box like this:Acl-konqueror.png
  5. Now, you can add any number of groups or users and specify permissions for them on any file or folder in /home.

Examples of practical use

ACL permissions are mostly useful if you have more than two or three users on a system and you want to set up shared resources that only certain users can access.

For instance, suppose you have four users on a machine: Robert, Mary, Doug, and Rachel. You have a shared directory under home (/home/shared) with three subdirectories: ladiesOnly, menOnly, and namesStartWithR_only. You want to give only the women access to ladiesOnly, the men access to menOnly, and Robert and Rachel access to namesStartWithR_only. You don't want Rachel to have write access to anything, but everyone else gets full permissions.

In this case, make all folders owned by root:root with permissions of rwxrwx--- (770). Then add Mary and Rachel to the ACL of /home/shared/ladiesOnly and give Mary full permissions and Rachel read-only. Now add Robert and Doug to the ACL of /home/shared/menOnly and give full permissions. Finally add Robert and Rachel to the ACL of /home/shared/namesStartWithR_only, and give Robert full and Rachel read-only permissions.

Such a setup would be difficult if even possible with traditional Unix permissions. ACL's provide us a way to do such things.

Personal tools
In other languages