File ACLs

Relatively recently, Linux has gained the concept of file and directory ACLs (access control lists). In contrast to the file attributes discussed previously, which control the behavior of the file itself (making it undeletable or immutable, for example), file ACLs are all about who can access the file and in what way. These ACLs mean that the sharing of files and directories with specifically named users can now be achieved, where previously a complex design of users and multiple groups was the only way to bring this about.

The particular application where this is of importance is Samba, and it means that the owner of a file who is accessing that file by Samba from a Windows client can set sharing on that file in the same way as if the file were on a Windows machine.

To use this ACL functionality, it is necessary that the partition on which the filesystem resides be mounted with the acl option. ACL functionality is now available regardless of which of the common filesystems you use (ext2, ext3, or reiserfs). To set ACLs on the command line, you use the command setfacl. getfacl reads the ACLs of a file.

If ACLs have been set, when you do an ls -l command, you will see this:

-rw-i—:----+ 1 tom users 81 2007-06-23 15:59 afile

Note the extra plus (+) symbol after the permissions string. This shows that ACLs have been set on this file, but to actually find out what they are, you will need the getfacl command described later in this section.

If tom wants to modify the ACL to allow tanya to write to the file, he does this:

[email protected]:~> setfacl -m u:tanya:w bfile Here tom is modifying (-m) the ACL to allow the user (u) tanya to write (w) to the file. You can then get the ACL for the file like this:

[email protected]:~> getfacl bfile

# group: users user::rw-user:tanya:-w-group::— mask::rw-other::r-

contains more on Samba.

So the change was made. For each user, you see the permissions shown in the usual rwx (read, write, execute) format. The user tanya now has write permission.

To remove the ACL that was just set:

[email protected]:~> setfacl -x u:tanya bfile

Here the -x means remove, so tom is removing the ACL that the user (u) tanya had on the file.

[email protected]:~> getfacl bfile

# group: users user::rw-group::i— mask:::— other::r-

Here tanya's special write permission has gone away.

Finally, familiarity with the techniques and concepts introduced in this chapter, as well as the content of Chapter 2, is necessary for anyone who wants to be able to work comfortably with a Linux system and its files. Some of the commands have a bewildering variety of options, but practicing with the examples given here and building on them is the best way to increase your skill and gain understanding.

In this chapter we look at some of the more useful tools for working with your SUSE Linux system. First, we examine some of the tools that are available to you to deal with emergencies. If your system won't boot or is otherwise seriously damaged, SUSE's Rescue System and YaST System Repair, running from the installation media, can be very useful. We also look at different ways to deal with partitions and disk images and how to create CDs. We also give a (necessarily brief) introduction to shell scripting and scripting languages.

What all these sections have in common is that they all concern tools that give you more power over your system, and working with these tools will add to your understanding.

f- r 1 r j You should not be afraid to experiment, even t-v -d ^ i-.-.,". \'CV..\*: with — indeed particularly with — the more scary and destructive examples given in this chapter. If you can, by all means set up a "sacrificial" system and play with the rescue and repair systems, with the partitioning tools, and so on. The knowledge that you gain may well be useful when (not if) things eventually go wrong.


Using the rescue and repair systems to recover from problems

Working with partitions and disk images

Burning CDs and DVDs

Using shell aliases

Automating with shell scripts and scripting languages

Was this article helpful?

0 0

Post a comment