Using ACLs to Grant Permissions to More Than One Object

When mounting a device, there is normally no space to store ACL information. Therefore, you must specify, for all devices where you want to use ACLs, that ACLs have to be enabled for that device; only then can you set ACLs. If you want to use them, you must check in the configuration file /etc/fstab, which is used for the automatic mounting of all the file systems on your server, that ACL support is enabled. For instance, if ACL support for the device /dev/sdal is enabled, you will find a line like the first line in Listing 6-3 of the /etc/fstab file. In this example, you can see that acl is specified as an option. By default, SUSE Linux Enterprise Server 10 will enable ACLs for all devices where it is supported.

Listing 6-3. Enabling ACL Support in /etc/fstab

/dev/hdal

/dev/hda2

proc sysfs usbfs devpts

swap

/proc

/sys reiserfs swap proc sysfs

/proc/bus/usb usbfs /dev/pts devpts acl,user_xattr defaults defaults noauto noauto mode=0620,gid=5

If ACLs are enabled for a given device, you can use the setfacl command to set them. Using this command is not too hard; for example, you can add setfacl -m u:linda,rwx somefile to add user linda as a trustee who has rights on the file somefile. This command does not change file ownership; it just adds a second user in the ACL that also has rights to the file. The normal output of the ls -l command does not show all users who have rights by means of an ACL; however, ls puts a + sign behind the permissions list on that file. To get an overview of all the ACLs currently set to a given file, you can use the getfacl command. The following steps give you an opportunity to try how it works:

Make sure you are root, and then create a file somewhere in the file system. You can use the touch command to create an empty file; for example, use touch somefile to create a file.

Now use getfacl somefile to monitor the permissions that are set for this file (see Listing 6-4 for an example). You will see an overview like in Listing 6-4, indicating only the default permissions that are granted to the users, group, and others.

Listing 6-4. getfacl Displaying Normal User, Group, and Others Information myserver:~# touch somefile myserver:~# getfacl somefile

# file: somefile

3. Now use the command setfacl -m g:account:rw somefile (you must have a group with the name account for this to work). The group will now be added as a trustee to the file, which you can see when you use getfacl on the same command again, as shown in Listing 6-5.

Listing 6-5. getfacl After Adding Another Trustee myserver:~# touch somefile myserver:~# getfacl somefile

# file: somefile

# group: root user::rw-group::r--group:account:rw-mask::rw-other::r--

Was this article helpful?

0 0

Post a comment