250 likes | 515 Views
Access Control Lists (ACLs). Purpose To grant other users permission to access/modify files and/or directories To deny access to the files/directories to the rest of the world. To grant permission: setfacl. Note: Must be logged into ub for setfacl to work.
E N D
Access Control Lists (ACLs) • Purpose • To grant other users permission to access/modify files and/or directories • To deny access to the files/directories to the rest of the world
To grant permission: setfacl • Note: Must be logged into ub for setfacl to work. • Setfacl needs access to a password file to give access to a certain user. • If logged onto CSdev machines, setfacl looks in the local password file and fails to find the user.
The setfacl command • For granting a user read permission for a file, the entry looks like • user:jtorgers:r-- • This only works if the mask entry allows it.
The mask entry • Makes it easy to turn off/on permission simultaneously for multiple users • The effective permission is the AND operation applied to the user entry and mask entry • If user entry is r-- and mask is rw-, effective permission is r-- • If user entry is r-- and mask is ---, effective permission is --- (no permission)
Setfacl for directories • Using setfacl to set permissions for a directory causes all files and directories in that directory to have the same permissions as that directory.
Viewing current permissions: getfacl • getfacl filename • shows: • owner of file • permissions for user, group, other • all users who have access • mask entry • effective permissions • default permissions
Permission for a file ub.d.umn.edu14% setfacl -m u:jtorgers:r-- test2 (-m means modify) • grants user jtorgers read permission for file test2
Current permissions for a file ub.d.umn.edu3% getfacl test2 # file: test2 # owner: kvanhorn # group: student user::rw- user:jtorgers:r-- #effective:--- group::--- #effective:--- mask:--- other:--- Need to set mask entry in order for read permissions to be effective
Mask entry for file permission • Effective permission for jtorgers is now r-- ub.d.umn.edu14% setfacl -m m:r-- test2
File permissions ub.d.umn.edu5% getfacl test2 # file: test2 # owner: kvanhorn # group: student user::rw- user:jtorgers:r-- #effective:r-- group::--- #effective:--- mask:r-- other:---
Permissions for a directory ub.d.umn.edu14% setfacl -m u:jtorgers:rwx test2dir • Grant user jtorgers access to directory test2dir • Since mask is not set, effective permissions will still be ---
Permissions for a directory ub.d.umn.edu7% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:--- group::--- #effective:--- mask:--- other:---
Mask entry for a directory ub.d.umn.edu14% setfacl -m m:rwx test2dir • Now jtorgers can access directory test2dir
Permissions for a directory ub.d.umn.edu9% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:rwx group::--- #effective:--- mask:rwx other:---
Setting defaults for a directory ub.d.umn.edu10% setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx test2dir • Sets defaults for all files and directories created in test2dir in the future • All 4 defaults must be set here (user, group, other, mask)
Defaults for a directory ub.d.umn.edu11% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:rwx group::--- #effective:--- mask:rwx other:--- default:user::rwx default:group::--- default:mask:rwx default:other:---
Set permissions for another user ub.d.umn.edu12% setfacl -m d:u:jtorgers:rwx test2dir • jtorgers is now able to create files in the directory test2dir
Permissions for another user ub.d.umn.edu13% getfacl test2dir # file: test2dir # owner: kvanhorn # group: student user::rwx user:jtorgers:rwx #effective:rwx group::--- #effective:--- mask:rwx other:--- default:user::rwx default:user:jtorgers:rwx default:group::--- default:mask:rwx default:other:---
Accessing another user’s files • jtorgers can log in and go to kvanhorn’s test2dir and create a file called “stuff” • However, jtorgers must grant kvanhorn permission to access the file “stuff” ub.d.umn.edu14% setfacl -m u:kvanhorn:rw- stuff Note: the mask default was already set
Restoring permissions for a modified file • If jtorgers uses emacs to modify and save her own file “stuff”, the ACLs of the new version will be different • kvanhorn will not have access to “stuff”, but kvanhorn can still access the old version of “stuff” which is now “stuff~” • ACLs of “stuff” can be restored by ub.d.umn.edu14% getfacl stuff~ | setfacl -f - stuff
Changing the way files are saved • Can redefine the way files are saved so a previous version “stuff~” isn’t created • The ACLs for the newly modified version will remain the same as before • Add the following lines to .emacs: (fset 'my-save "\C-[0\C-[xsave-buffer\C-m") (global-set-key "\C-x\C-s" 'my-save)
Avoiding the need for restoring files • Divide the project tasks among team members so each person works on different files. • Only share directories to make and run programs.
Avoiding concurrent writing to files • In emacs, if user tries to open a file currently being modified by someone else, emacs states that a process of the file is running somewhere else, then asks the user if they want to “steal” the file. • Simple solution: don’t!! • Better method for avoiding concurrent writing: RCS